The Electoral Commission has publicly confirmed that it has experienced a cyber-attack in which “hostile actors” accessed its systems.
It said the hostile actors had access to servers which hold its email, control systems and copies of the electoral registers.
Since the cyber-attack, it said it had “worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.”
Details of tens of millions of voters could have been accessed by hackers who targeted the elections watchdog.
Today we announced that we have been the subject of a complex cyber-attack, and our systems were accessed by hostile actors.
— Electoral Commission (@ElectoralCommUK) August 8, 2023
However, the Electoral Commission said there was little risk of “hostile actors” being able to influence the outcome of a vote but apologised for the breach in its systems.
The Electoral Commission took to Twitter to share the news of the cyber attack, writing: “The electoral registers include the name and address of those registered to vote between 2014 and 2022, the names of overseas voters, but not the details of anonymous voters.
"While much of this data is already in the public domain, we understand the concern this may cause.
“We regret that we could not prevent this cyber-attack and apologise to those affected. We have since made improvements to the security, resilience, and reliability of the Commission’s IT systems.”
The Electoral Commission added that it has notified the Information Commissioner’s Office and is in contact with them.
If you’re wondering how this cyber-attack might affect you, there are links to the Electoral Commission included in the tweets that may help you find answers.
The attack was identified in October 2022, but the hackers had first been able to access the commission’s systems in August 2021.
We regret that we could not prevent this cyber-attack and apologise to those affected. We have since made improvements to the security, resilience, and reliability of the Commission’s IT systems.
— Electoral Commission (@ElectoralCommUK) August 8, 2023
Shaun McNally, the Electoral Commission’s chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber-attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
He said significant measures had been taken to improve security on the commission’s IT systems.
“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed,” he said.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”
The National Cyber Security Centre said it had provided the commission with expert advice and support.
A spokesman said: “Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”
The Information Commissioner’s Office said it was looking into the incident.
“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency,” a spokesman said.
“In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here