Cyber-attack on UK Electoral Commission systems – personal data has been obtained by hackers

The UK Electoral Commission has said that this incident was identified in October 2022 after suspicious activity was detected on their systems. It became clear that hostile actors had first accessed the systems in August 2021. During the cyber-attack, the perpetrators had access to the Commission’s servers which held their email, control systems, and copies of the electoral registers.

They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.

Personal data affected by this incident:

• Personal data contained in email system of the Commission:
  • Name, first name and surname.
  • Email addresses (personal and/or business).
  • Home address if included in a webform or email.
  • Contact telephone number (personal and/or business).
  • Content of the webform and email that may contain personal data.
  • Any personal images sent to the Commission.
• Personal data contained in Electoral Register entries:
  • Name, first name and surname
  • Home address in register entries
  • Date on which a person achieves voting age that year.

Electoral Register data not held by the Commission:

• Anonymous registrations
• Address of overseas electors registered outside of the UK.

The Commission holds copies of the electoral registers to enable its statutory functions. They are used for research purposes and to enable permissibility checks on political donations. The electoral register data held by the Commission has not been amended or changed in anyway as a result of the attack and remains in the form in which they received it. The data contained in the registers is limited, and much of it is already in the public domain. 

According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breeches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals. It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.

The attack has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status.

The personal data held on the Commission’s email servers is also unlikely to present a high risk to individuals unless someone has sent them sensitive or personal information in the body of an email, as an attachment or via a form on its website, such information may include medical conditions, gender, sexuality, or personal financial details. Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.

They have said that no immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorised use or release of their personal data.

The Electoral Commission has worked with the National Cyber Security Centre (NCSC) and external experts to investigate the incident and had since made improvements to the security of its IT systems, it said.