cyber attack which saw names and addresses of 40M UK voters exposed

Russia ‘prime suspect’ in cyber attack which saw names and addresses of 40M UK voters exposed - reports
Hackers were able to access the names and addresses of anyone in the UK registered to vote between 2014 and 2022.

Imogen Howse
By Imogen Howse
8th Aug 2023, 10:15pm
Russia is suspected to have been behind a cyber attack which exposed the data of tens of millions of voters in the UK, raising fears it was an attempt to undermine democracy.

The Electoral Commission admitted on Tuesday (8 August) that hackers had been able to access reference copies of electoral registers from between the years 2014 and 2022 - files which contained the names and addresses of the 40 million people registered to vote during that timeframe.

Advertisement

While the security breach was only made public on Tuesday (8 August), it first took place all the way back in August 2021. However, shockingly, it was more than a year before anyone noticed the cyber-attack had happened - with reports to the Information Commissioner’s Office (ICO) and National Crime Agency only made in October 2022.

Now, according to The Telegraph and The Times, Britain’s intelligence services have detected evidence linking the attack to Russians. It is also understood that signs of ransomware - a form of software that can block users from accessing files - were found, prompting concerns that the Electoral Commission, the body which oversees election, could have been locked out of voter lists ahead of a ballot.

Speaking to BBC Radio 4 about the news, former director of GCHQ Sir David Omand claimed Moscow would be “first on [his] list of suspects”. He said: “Russians – and I point to them in particular – have been interfering with democratic elections for some years now. Think of the 2016 US election, then the French election, then the German election, and even our own 2019 election.”

Meanwhile, Sir Richard Dearlove, the former head of MI6, echoed these comments - remarking that Russia “would be at the top of the suspects list by a mile”. However, the identities of the so-called “hostile actors” behind the data breach are still yet to be fully confirmed.

Hackers had access to the names and addresses of millions of voters in the UK for more than a year before anyone noticed. Credit: Getty Images
Hackers had access to the names and addresses of millions of voters in the UK for more than a year before anyone noticed. Credit: Getty Images
Advertisement

Russia was publicly accused by the United States of being behind attempts to meddle in presidential elections in both 2016, when Donald Trump was elected, and in 2020, when Joe Biden was elected. US government figures claimed they were attempts to undermine democracy.

In 2017, Moscow was accused of meddling in elections in France and Germany, and in 2019, similar allegations were made regarding the UK general election. The government claimed that Russians had “illicitly acquired” and then “amplified” documents about post-Brexit trade talks with US, which were then used by the Labour Party in their campaign.

When it announced the breach on Tuesday (8 August), the Electoral Commission said the reason it took so long to detect the hackers was because the attack had “used a sophisticated infiltration method intended to evade our checks”. The data which was at risk included the names and addresses of anyone in the UK registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

A spokesperson for the watchdog admitted they are “not able to know conclusively” exactly what or whose information had been accessed - but said “much of the data” was already in the public domain. They also added that, due to the paper-based process of elections in the UK, it would be “very hard” for the hackers to influence the outcome of a vote - but acknowledged that voters would likely still be concerned.

Advertisement

Responding to questions on Twitter, now known as X, about why the breach had only been revealed now, the watchdog wrote: “We needed to remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public.”


In a statement, Shaun McNally, the Electoral Commission’s chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process.

“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed.”

Advertisement

He then apologised to those affected - and assured voters that “significant” measures had since been taken to improve the security of the watchdog’s systems.

Read More
Apple iPhone users urged to update devices after 25 major security flaws were uncovered
Apple iPhone users urged to update devices after 25 major security flaws were uncovered
Google ads: Tech giant under fire for taking advertising money from far-right group Britain First
Google ads: Tech giant under fire for taking advertising money from far-right group Britain First
Voter ID rules meant 14,000 couldn’t vote - disabled and unemployed likely to have been worst affected
Voter ID rules meant 14,000 couldn’t vote - disabled and unemployed likely to have been worst affected
UK on the ‘precipice’ of AI deepfakes disrupting our elections, experts say
UK on the ‘precipice’ of AI deepfakes disrupting our elections, experts say
The Electoral Commission holds the details of voters for research purposes and to enable permissibility checks on political donations. This data is gathered in an electoral register, which includes the names and addresses of the roughly 40 million people in the UK registered to vote each year. This information was available during the hack, although the details of those registered to vote anonymously was not accessed.

In response to the cyber-attack, the National Cyber Security Centre provided the Electoral Commission with expert advice and support. A spokesperson said: “Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”

The Information Commissioner’s Office, which is looking into the incident, added: “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.

“In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”