Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Shock for millions of voters as details exposed in hack – which went undetected for a year

Electoral Commission apologises and admits it doesn’t know ‘what files may or may not have been accessed’

Adam Forrest
Political Correspondent
Tuesday 08 August 2023 19:48 BST
Comments
The Electoral Commission said hackers had been able to access registers of voters (PA)
The Electoral Commission said hackers had been able to access registers of voters (PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Details of tens of millions of voters could have been accessed by hackers who targeted the Electoral Commission, the elections watchdog has admitted.

The organisation has revealed that it first detected the breach in October 2022 – but the cyberattack had happened more than a year before, in August 2021.

The Electoral Commission apologised and insisted that there was little risk of “hostile actors” influencing the outcome of a vote.

The Information Commissioner’s Office (ICO) has launched an investigation “as a matter of urgency”, saying voters would be alarmed by the news.

The hack, publicly confirmed on Tuesday, allowed the cyberattackers to access reference copies of electoral registers containing names and addresses of everyone registered to vote between 2014 and 2022.

Apologising, the Electoral Commission’s chief executive Shaun McNally admitted that his organisation did not know yet exactly which files had been accessed.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed,” he said.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

The watchdog chief said measures had been taken to improve security on the commission’s IT systems – playing down the risk of election interference because of paper-based voting.

Ballots are counted at recent Uxbridge by-election
Ballots are counted at recent Uxbridge by-election (PA)

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,” said Mr McNally. “This means it would be very hard to use a cyberattack to influence the process.

“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”

The hackers were able to access reference copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations.

The registers held at the time of the cyberattack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

But they did not include the details of those registered anonymously.

The register for each year holds the details of around 40 million individuals, which were accessible to the hostile actors, although this includes people on the open registers, whose information is already in the public domain.

An ICO spokesman said: “The Electoral Commission has contacted us regarding this incident and we are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in