Cyberattack allows hackers to access the names and addresses of tens of millions of voters on the UK’s electoral register
The Electoral Commission has warned that “hostile actors” have breached its systems, and obtained data on all registered voters in the United Kingdom.
The Commission announced that hackers have obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”
And UK officials are pointing the finger of blame at Russia with Sir David Omand, a former director of GCHQ, reportedly stating that Moscow was the prime suspect.
Electoral Commission hack
In its statement, the Electoral Commission said the incident was identified in October 2022 after suspicious activity was detected on its systems.
Questions will be raised at the time it has taken for the Commission to become aware of the attack, and then the time it has taken to publicly reveal the breach, which was first identified 10 months ago.
“It became clear that hostile actors had first accessed the systems in August 2021,” the Commission said. “During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers.”
The Commission said that the hackers were able to access reference copies of the electoral registers, held by the Commission. This included “the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”
The Commission said its email system was also accessible during the attack.
It is reported that the personal data of up to 40 million Britons could be impacted in this breach.
“We understand the concern this attack may cause and apologise to those affected,” it stated. “Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”
However the Commission said its assessment that “the information affected by this breach does not pose a high risk to individuals and this notification is being given due to the high volume of personal data potentially viewed or removed during the cyber-attack.”
The following personal data has been affected by this incident:
Personal data contained in email system of the Commission:
- Name, first name and surname.
- Email addresses (personal and/or business).
- Home address if included in a webform or email.
- Contact telephone number (personal and/or business).
- Content of the webform and email that may contain personal data.
- Any personal images sent to the Commission.
Personal data contained in Electoral Register entries:
- Name, first name and surname
- Home address in register entries
- Date on which a person achieves voting age that year.
Electoral Register data not held by the Commission:
- Anonymous registrations
- Address of overseas electors registered outside of the UK.
The Commission said it has “taken steps to secure our systems against future attacks and improved our protections around personal data. We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.”
It said it has worked with external security experts and the National Cyber Security Centre to investigate and secure its systems.
Sir David Omand, a former GCHQ director, was quoted by the Daily Mail as telling BBC Radio 4 that Moscow was the prime suspect.
“Russians, and I point to them in particular, have been interfering with democratic elections for some years now – think of the 2016 US election, and then the French election, and then the German election, even our own 2019 election,” he was quoted as saying.
“They have been trying to interfere with the democratic process,” said Sir David. “It is not at all surprising that hostile agencies would try and hack into the Electoral Commission.”
Sir David reportedly cited Russia because of the record of its military intelligence and civilian agents in interfering with Western elections.’
Matter of time
The breach of the Electoral Commission drew a slew of responses from cybersecurity experts, due to the serious nature of the hack.
“It was only a matter of time before the UK electoral register suffered a cyberattack,” noted Jake Moore, global cybersecurity advisor at ESET. “Election data remains a prize target for multiple different groups of attackers.”
“Whilst the specifics of the stolen data is unknown, people should remain as cautious as ever with unsolicited communications, even though the majority of the data may have been stolen well over a year ago,” said Moore.
“What remains more worrying is that the attack went undiscovered for 15 months and did the authorities were not alerted of any abnormalities on their systems in that time,” said Moore. “Cybercriminals work best in stealth mode but rarely are they undetected for this length of time. However complex an attack is, it is saddening to see malicious actors break in and rummage around for so long.”
Another expert, John Hultquist, Mandiant chief analyst at Google Cloud noted that intrusions into election related networks are not tantamount to manipulation of the vote.
“We should be careful not to ascribe too much meaning to these incidents, which could serve the adversary’s interest,” said Hultquist. “In the past Russia’s GRU has taken advantage of election related intrusions in Ukraine to suggest they have manipulated the vote, despite lacking the ability to do so.”
“Similarly, in 2020 Iran faked a hack of US election related systems to suggest they manipulated the vote,” said Hultquist. “Ultimately, adversaries seek to undermine our democratic institutions and more often than not they do that by overstating their own power.”
But Mike Newman, CEO of My1Login said that this incident does have the potential to put thousands, even millions, of British citizens at risk.
“The Electoral Commission has stated it doesn’t know what information has been viewed or copied, but with the information stored on their servers relating to home addresses, telephone numbers and emails, attackers could now use this data to send out highly sophisticated phishing scams, especially those in relation to this incident,” said Newman.
“It is wise to therefore treat email correspondence relating to the breach with caution and to avoid clicking on links in emails or giving away personal information,” said Newman.
“It sounds like the attackers initially gained access to the Electoral Commission’s systems via a compromised login, as it was suspicious login attempts that first alerted them to the breach,” said Newman. “This once again highlights how compromised logins can offer criminals with unfiltered corporate network access, which is very difficult to spot because the login does not appear malicious.”
“The only way to counter this threat is by removing passwords from employee hands so they can’t be stolen,” said Newman. “Using modern identity management tools, organisations can remove passwords and credentials from employees, instead offering them access to all the applications they need by distributing encrypted credentials.”
Meanwhile Matt Aldridge, principal solutions consultant at OpenText Cybersecurity said that the attack on the Electoral Commission is concerning, as the stolen data could help to fuel future cyber-attacks and other types of fraud.
“Also, if a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets, in an effort to support that nation’s competitive agenda,” said Aldridge.
“The fact that name and home address data has been stolen is worrying, as it could contribute to targeted social engineering attacks on the victims involved,” said Aldridge. “My message to voters who may have been affected is to remain vigilant for future scam messages or other communications that may use your name and address to purport legitimacy, and to react with appropriate suspicion.”
“Staying alert and not clicking on suspicious links or providing personal details, whether financial or password related, is the best way to stay protected from all types of phishing emails,” he said.
Bulk data collection
Another security expert, Andrew Bolster, senior manager of research and development at the Synopsys Software Integrity Group, agreed that the compromised data, when combined with other datasets, could present a risk for UK voters.
“Like many electoral registers globally, the UK electoral register can be viewed by almost anyone via local registry offices,” said Bolster. “However, this intrusion into the internal electoral register- particularly the exposure of registrants’ records who had opted out of the public register – could pose a significant risk to citizens if correlated with other datasets such as credit records and company registration data.”
“While seemingly benign on its own, this kind of bulk-data exposure can be leveraged to gain trust and confidence in spear-phishing attacks, or to ‘triangulate’ individuals under personal threat by combining multiple disparate data sources,” said Bolster.
“The nature of this attack, which has been noted to stem from an email-based compromise, demonstrates that ‘defending the perimeter’ is not always sufficient,” said Bolster. “When it comes to data privacy, the owners of these data sets must establish and enforce defence-in-depth and layers of access control to protect them.”
Another expert, Gary Barlet, Federal Field CTO at Illumio, who was previously a former Federal Chief Information Officer and a retired Air Force Cyber Operations Officer, noted the need for an agile response to these types of incidents.
“Based on the current information disclosed, it looks like a slow and low attack,” said Barlet. “However, while the impact of the attack is low, the fact it was undetected for so long will leave questions about what else attackers were doing as it doesn’t take that long to steal that data.”
“Government departments will always be a top target for hostile actors because of the lucrative data they hold and potential for mass disruption,” said Barlet. “However, the attack does highlight the need for a more agile response to security incidents, especially as we start to see more AI-based attacks that can evade defences. This means shifting away from static, network-based security models to focus on users, assets, and resources.”
“The reality is we will never be able to prevent all attacks, particularly those from nation-states with an unlimited arsenal of funds and resources,” said Barlet. “If not already, every government department must take steps to strengthen defences internally to prevent the spread of similar attacks. This can be achieved by ring-fencing and protecting high-value applications and data; restricting access to only that which is critical and necessary.”
Meanwhile Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, noted the geopolitical issues at play, with Russia once again being mentioned.
“While details are sparse, the recent revelation of an attack against the UK Electoral Commission potentially leaves UK voters at risk from fraud and targeted social engineering attacks,” said Morgan.
“The reported scale of the data breached could affect millions of individuals, posing a significant risk given it likely includes names and addresses of voters; this could be combined with other public information to profile individuals,” said Morgan.
“The attack, in which an unknown attacker reportedly had access to electoral registers since August 2021, was not identified until October 2022,” Morgan noted. “This is a long duration for an attacker to establish their persistence and achieve their goals. Exactly what those goals and motivations were is unclear, as are the origins of the attacker.”
“Given the UK’s stance in the ongoing Russia-Ukraine war, in providing financial and military aid to Ukraine, it is realistically possible that the attackers were aligned to the Russian state,” said Morgan. “While this remains theoretical at this stage, this would also fit the previous modus operandi of Russian state aligned groups attempting electoral interference.”