The Electoral Commission has revealed that they were struck by a “complex cyber-attack” which saw cyber criminals access electoral registers.
The initial breach occurred in August 2021 as “hostile actors” gained access to copies of electoral registers, but the attack was not identified until October 2022, over a year later.
The Electoral Commission admitted that the breach resulted in personal data, such as home addresses and personal images were compromised, as well as email addresses, names and telephone numbers.
Shaun McNally, Chief Executive of the Electoral Commission, warned that the attack did not influence electoral outcomes, saying: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.”
“This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
Suid Adeyanju, CEO of RiverSafe commented: “Cyber criminals will relentlessly and ruthlessly target any organisation that manages large volumes of personal data, and the Electoral Commission is unfortunately a priority target for these kinds of attacks. While the specific details of the breach have yet to be revealed, this example should serve as a wake-up call to the many senior executives sleepwalking into a cyber catastrophe and underestimating this growing threat.
“Ensuring software patches are up-to-date and implementing cybersecurity awareness training for staff are vital measures to ensure that organisations stay protected. Especially with the use of AI fuelling more sophisticated cyber assaults, it’s absolutely critical that substantial safeguards and preventative measures are put in place before, rather than after an attack takes place.”
The Information Commissioner’s Office has said it’s urgently investigating the brief, while the Electoral Commission stated that it’s taken additional steps to secure its IT systems to protect against future attacks.