The commission, an independent body that oversees elections in the UK, reported it had been the subject of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers.

These contained the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as names of overseas voters. This equates to the data of 40 million people. The Electoral Commission said it did not know whether the data had been downloaded.

The commission said it was “not able to know conclusively” what information had been accessed. It added that the personal data in the commission’s email system, which was also hacked, included email addresses of people who had contacted the commission; any personal images sent to the commission; and contact telephone numbers. The attack on the Electoral Commission compromised its file sharing and email system, allowing access to the online addresses and data of anyone who messaged its staff.

The National Cyber Security Centre, which is probing the incident, did not rule out the possibility of a foreign state attack. The electoral commission does not know whether any of the email data was taken. The information, however, could be combined with other data, such as social media, to profile individuals.

Key Points
  • The nature and duration of the cyber-attack indicates the sophistication of the assailants.
  • The sophistication and ambition of the attack may point to a state-backed entity.
  • The attack could leave individuals exposed to manipulation before they make their paper vote.
  • It could also leave individuals exposed to fraud attempts, which state-sponsored actors have been known to attempt as well as cyber-criminals.
Action Required
  • Organisations should take appropriate and significant steps, with the support of specialists, to improve the security, resilience, and reliability of their IT systems.
  • Consider a penetration test by IT specialists to measure resilience.

For further discussion and support, including data protection awareness training services please email dpa@tiaa.co.uk