Electoral Commission targeted by 'hostile actors' in cyber attack as hackers access millions of name and address details

8 August 2023, 14:08 | Updated: 8 August 2023, 14:26

Details of tens of millions of voters could have been accessed by hackers who targeted the elections watchdog.
Details of tens of millions of voters could have been accessed by hackers who targeted the elections watchdog. Picture: Alamy

By Emma Soteriou

Millions of voters are thought to have been caught up in a security breach after "hostile actors" got access to the names and addresses of those who registered to vote between 2014 and 2022.

Listen to this article

Loading audio...

The Electoral Commission apologised after it was targeted in the 2021 cyber attack but insisted there was little risk that it would have influenced the outcome of a vote.

The attack was identified in October 2022, but the hackers had first been able to access the commission's systems in August 2021.

They were able to access reference copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations.

The registers held at the time of the cyber-attack did not include the details of those registered anonymously.

Read more: Knife attack at British Museum: Man arrested after stabbing in the queue

Read more: 'We will punish and disgrace rogue lawyers who help small boat migrants lie to stay in UK', justice secretary vows

The Electoral Commission said: "Today we announced that we have been the subject of a complex cyber-attack, and our systems were accessed by hostile actors.

"Hostile actors were active in our systems and had access to servers which held our email, control systems, and copies of the electoral registers.

"We have since worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.

"The electoral registers include the name and address of those registered to vote between 2014 and 2022, the names of overseas voters, but not the details of anonymous voters.

"While much of this data is already in the public domain, we understand the concern this may cause.

"We regret that we could not prevent this cyber-attack and apologise to those affected. We have since made improvements to the security, resilience, and reliability of the Commission’s IT systems.

"We notified the Information Commissioner’s Office and remain in contact with them."

Today we announced that we have been the subject of a complex cyber-attack, and our systems were accessed by hostile...

Posted by Electoral Commission UK on Tuesday, August 8, 2023

Chief executive Shaun McNally said significant measures have since been taken to improve security on the commission's IT systems.

"We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed," he said.

"While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected."

The National Cyber Security Centre said it had provided the commission with expert advice and support.

A spokesman said: "Defending the UK's democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems."

The Information Commissioner's Office said it was looking into the incident.

"We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency," a spokesman said.

"In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support."