Cyber Incident Victim: Electoral Commission UK
Date:
Aug 2021
Location:
United Kingdom
Summary
A cyber attack targeted the Electoral Commission's systems, compromising servers containing email communications, control systems, and electoral registers. Hostile actors accessed reference copies of registers with names and addresses of registered voters in Great Britain over an eight-year period and Northern Ireland voters during a specific year, excluding anonymous registrations. The breach also exposed personal data within emails, including contact details and sensitive information voluntarily submitted by individuals. While the Commission assessed that the standalone register data posed low risk, it acknowledged potential profiling if combined with other public information. The incident did not impact electoral processes or registration statuses. Mitigation efforts included enhanced network security, monitoring improvements, and collaboration with national cybersecurity experts to fortify systems against future attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Electoral Commission of the United Kingdom identified a cyber-attack in October 2022 following the detection of suspicious activity on its systems. Forensic investigations revealed that hostile actors had initially gained unauthorized access to the Commission's servers in August 2021, maintaining persistent presence for over fourteen months before detection. During this period, attackers compromised servers containing the Commission's email system, internal control systems, and reference copies of electoral registers. The accessed electoral registers contained names and addresses of all registered voters in Great Britain between 2014-2022, names of overseas voters from the same period, and names with addresses of Northern Ireland registrants from 2018. Anonymous voter registrations were excluded from these records. The email system breach exposed personal data including correspondents' names, email addresses, telephone numbers, home addresses (when provided), and any sensitive information voluntarily shared through webforms or attachments.
The Commission assessed that the electoral register data alone did not present high individual risk since it primarily contained publicly available information, though noted potential risks if combined with other datasets for profiling purposes. No evidence indicated manipulation of register data or impact on electoral processes, voting rights, or registration statuses. Email content presented greater potential risk if senders had disclosed sensitive details like medical or financial information. Following discovery, the Commission engaged security specialists and the National Cyber Security Centre to investigate, contain the breach, and implement security enhancements including strengthened login requirements, improved threat monitoring systems, and updated firewall policies. Public notification was issued due to the high volume of potentially accessed personal data rather than assessed high individual risk, with affected individuals advised to remain vigilant regarding potential misuse of their information. The Commission confirmed that political donation records remained uncompromised as they resided on separate systems unaffected by the attack.