The UK’s Electoral Commission has warned that hostile actors have accessed voter data, including names and addresses, belonging to anyone registered to vote in elections between 2014 and 2022.
The attackers gained access to full names, addresses, and the date on which a person achieves voting age – which is 18 for UK parliamentary elections.
The attackers also had access to the commission’s email and control system as well as the names of those registered as overseas voters, but not their addresses, since the organization doesn’t hold this data. Personal data contained in the email system was also affected and includes name, email, address, telephone numbers, and any personal images along with webform data.
The Information Commissioner’s Office (ICO) risk assessment doesn’t suggest that exposing such personal by itself puts individuals at high risk, given much of this information is already in the public domain. But combined with other pieces of information, it could be used to identify or profile individuals.
Webform data or email attachments, meanwhile, could potentially contain sensitive information such as medical or personal financial details.
No group has claimed responsibility for the attack at the time of writing. The Electoral Commission has reported the incident to the National Cyber Security Centre, and said it notified the ICO within 72 hours of identifying the breach.
RELATED RESOURCE
Read how real-time threat data can give you an advantage.
The fact that systems were first accessed in August 2021, more than a year before suspicious activity was identified, suggests the cyber criminals were patient and possibly surveilling internal operations.
The commission has been quick to reassure voters that the data can’t be used to interfere with the UK’s electoral process, and insisted the exposed data isn’t enough to impersonate a voter under current rules. But the stolen data could help fuel future attacks and other forms of fraud, according to Matt Aldridge, principal solutions consultant at OpenText Cybersecurity.
“If a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets in an effort to support that nation’s competitive agenda,” he said.
The potential theft of name and home addresses could be used to contribute to targeted social engineering attacks, for example. Aldridge urged organizations to learn from this breach, check their defenses, and ensure staff are trained in cyber security best practices.
“Rather than viewing data protection as a box-ticking exercise,” he continued, “it should be a key priority and integrated into every aspect of an organization.”
The commission hasn’t disclosed how it became aware of the attack, but said it’s been implementing a number of mitigations: “We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.”
-
HPE's new Cray system is a pocket powerhouseNews Hewlett Packard Enterprise (HPE) had unveiled new HPC storage, liquid cooling, and supercomputing offerings ahead of SC25
-
High performance and long battery life: How Dell AI PCs offer the best of both worldsUnlocking the true potential of on-device AI requires a perfect balance between software and hardware
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
