In a stark reminder of the persistent online threats facing national institutions, the UK's Electoral Commission revealed that it had been compromised in a meticulously orchestrated cyber-attack potentially affecting millions of voters.
The breach came to light in October 2022, when anomalous activities were detected on the commission's digital systems.
A deeper dive into the matter revealed that intruders had penetrated the systems as far back as August 2021, where the perpetrators managed to secure access to copies of electoral registers which were meant for research purposes.
Furthermore, the hackers also compromised the emails and control systems of the commission.
The commission believes it is difficult to estimate exactly how many people could be affected but it estimates the register for each year contains the details of around 40 million people.
Today we announced that we have been the subject of a complex cyber-attack, and our systems were accessed by hostile actors.— Electoral Commission (@ElectoralCommUK) August 8, 2023
Lapse in Cybersec measures
Conveying the broader implications of the data breach, Electoral Commission chief executive Shaun McNally said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber-attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target and need to remain vigilant to the risks to processes around our elections.
“Regrettably, McNally also admitted to a lapse in the commission's cybersecurity measures:
“We regret that sufficient protections were not in place to prevent this cyber-attack.
“Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience and reliability of our IT systems."
What was compromised?
Of grave concern is that during this cyber-attack, intruders accessed the commission's reference copies of electoral registers used for research and verifying political donations.
This data encompassed voter registrations from 2014 to 2022, including overseas registrants.
However, the details of anonymously registered voters remained untouched and the commission's email system was not spared from this breach.
We understand that you may have questions about how this affects you. We have answered as many as we can in our FAQ: https://t.co/SPcqrPFjb4— Electoral Commission (@ElectoralCommUK) August 8, 2023
Potential impact
McNally expanded on the potential impact of this unauthorised access, stating: “We know which systems were accessible to the hostile actors but are not able to know conclusively what files may or may not have been accessed.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”
The duration of the hackers' presence within the Electoral Commission systems, starting from August 2021, suggests that this wasn't a mere criminal endeavour aiming for swift financial gain via extortion.
Such prolonged, covert access points to a highly competent and patient threat actor
The nature of this hack seems more aligned with a reconnaissance attack, researching into details about the UK's democratic system to identify potential vulnerabilities.