The UK’s elections watchdog has revealed it has been the victim of a complex cyber-attack potentially affecting millions of voters.
The Electoral Commission said unspecified ‘hostile actors‘ had managed to gain access to copies of the electoral registers, from August 2021. Note the word ‘unspecified’ is used – do they even know?
Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year. The watchdog has warned people to watch out for unauthorised use of their data.
The commission said hackers accessed copies of the registers it was holding for research purposes, and for conducting checks on political donors. The commission knew which of its systems were accessible to the hackers, but could not ‘conclusively‘ identify which files may have been accessed.
‘Very sophisticated’ attack
The personal data held on the registers – name and address – did not itself present a ‘high risk‘ to individuals, it added, although it is possible it could be combined with other public information to ‘identify and profile individuals’.
It has not said when the hackers’ access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022. Why was it left so long to be made public and how long did it take to make systems secure again?
Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers’ access, examine the extent of the incident and put additional security measures in place.Defending the delay, commission chair John Pullinger said: “If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities.” He is reported to have said the ‘very sophisticated attack involved using software to try and get in and evade our systems’. Well, that clearly worked then.
He reportedly said that the hackers were not able to alter or delete any information on the electoral registers themselves, which are maintained by registration officers around the country. Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added. He understood public concern, and would like to apologise to those affected.
Steps
The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies. The Information Commissioner’s Office, which is responsible for data protection in the UK, said it was urgently investigating.
Labour’s deputy leader Angela Rayner reportedly said: ‘This serious incident must be fully and thoroughly investigated so lessons can be learned‘. Why wouldn’t it be investigated? I dislike it immensely when clueless politicians roll out this ‘standard remark’ as an attempt to demonstrate they ‘know what’s going on’.
Then what? It happens again and we have to… learn more lessons…?
Step up the security – we have the ability!