The UK’s elections watchdog has suffered a “complex cyber attack” in which hackers obtained copies of the electoral register and had access to its systems for more than a year.
The Electoral Commission said in a public notice on Tuesday that “hostile actors” first breached its network in August 2021, but that “suspicious activity” was not identified until last October.
“We do not know who is responsible for the attack,” the commission said, adding that no groups or individuals had claimed the attack.
The registers that were breached included the name, home address and date on which a person reached voting age of all those who registered for a ballot between 2014 and 2022, as well as details of overseas voters.
The data of people who registered for a vote anonymously was not accessed.
“We understand the concern this attack may cause and apologise to those affected,” the commission said, as it insisted there was little risk of the hackers being able to influence the outcome of a vote or impersonate individual voters. “There has been no impact on the security of UK elections,” it added.
However, Britons who were potentially affected should remain “vigilant for unauthorised use or release” of their personal details, the watchdog warned.
While the watchdog insisted the breach “does not pose a high risk” to individuals, it said the data obtained could be matched to other information in the public domain and used to “infer patterns of behaviour or to identify and profile” people.
Shaun McNally, Electoral Commission chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
The watchdog disclosed details of the cyber attack under UK data protection laws that require public bodies to notify people if their data has been lost or stolen from systems.
It explained that it had held “reference copies” of the electoral register for research purposes and to enable permissibility checks on political donations.
The hackers also had access to the commission’s email system and “control systems”, the watchdog said. This meant the email addresses and phone numbers of people who corresponded with the Electoral Commission may have been taken.
The watchdog reported the breach to the National Cyber Security Centre, which is part of GCHQ and advises UK companies on combating cyber crime, and the Information Commissioner’s Office (ICO), the data protection regulator. Security specialists have since been brought in to investigate and secure the commission’s systems, it said.
The ICO said: “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”