The cybercriminals first accessed the electoral systems in August 2021 and were able to access reference copies of the electoral registers between 2014 and 2022.
The UK’s electoral commission has revealed details of a “complex cyberattack” it suffered, which may have affected as many as 40m voters.
In a statement, the electoral watchdog said the incident was identified in October 2022 after suspicious activity was detected on its systems. “It became clear that hostile actors had first accessed the systems in August 2021,” it wrote.
The hackers were able to access the commission’s servers which held the organisation’s email, control systems and copies of the electoral registers.
“The registers held at the time of the cyberattack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters,” the commission stated.
While the registers did not include the details of those registered anonymously, the commission’s email system was accessible during the attack. A spokesperson told SiliconRepublic.com that, while it is difficult to accurately predict the number of people affected, they estimate the register for each year holds the details of around 40m individuals.
Shaun McNally, chief executive of the electoral commission, said he regrets that sufficient protections weren’t in place to prevent the breach.
“We know which systems were accessible to the hostile actors but are not able to know conclusively what files may or may not have been accessed,” he said.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”
Elections remain a target
Mike Newman, CEO of My1Login, said that the incident has the potential to put millions of British citizens at risk.
“With the information stored on their servers relating to home addresses, telephone numbers and emails, attackers could now use this data to send out highly sophisticated phishing scams, especially those in relation to this incident,” he said.
“It is wise to therefore treat email correspondence relating to the breach with caution and to avoid clicking on links in emails or giving away personal information.”
The commission said it has taken steps to secure its systems against future attacks and improved protections around personal data. “The commission has worked with external security experts and the National Cyber Security Centre to investigate and secure its systems.”
McNally said the significantly dispersed nature of the UK’s democratic process and the fact that key aspects of it remain based on paper documentation means that it would be very hard to use a cyberattack to influence the process.
“Nevertheless, the successful attack on the electoral commission highlights that organisations involved in elections remain a target and need to remain vigilant to the risks to processes around our elections.”
The hacking of electoral systems has been a concern for quite some time now. In the US, there are ongoing fears around the potential vulnerabilities of voting machines, while in Germany in 2017, white hat hackers from the Chaos Computer Club warned of huge weaknesses in German election software.
More recently, the European Parliament website was hit by a “sophisticated” cyberattack after EU lawmakers declared Russia a “state sponsor of terrorism”.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.