The UK’s elections watchdog has been targeted by a cyber-attack that enabled “hostile actors” to access electoral registers.
The Electoral Commission revealed it had been hacked but was “not able to know conclusively” what information had been accessed and said it apologised to people whose information was accessible to the hackers.
It said, however, that the largely paper-based process of elections meant it would be very hard for hackers to influence the outcome of a vote.
The incident was identified in October 2022, but attackers first accessed the commission’s systems in August 2021.
The commission’s chief executive, Shaun McNally, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
The attackers were able to access reference copies of the electoral registers, held by the Electoral Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the names and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.
The registers did not include the details of those registered anonymously.
The commission’s email system was also accessible during the attack.
McNally said: “We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it, we have taken significant steps with the support of specialists to improve the security, resilience, and reliability of our IT systems.”
He added: “We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”