Voter data stolen in UK Electoral Commission systems breach

The UK’s Electoral Commission has revealed it suffered a compromise which has the potential to expose aspects of registered voters’ data. While much of this data may already be public, there are some privacy and safety concerns to consider.

First of all, let’s take a look at what’s been affected. The UK has something called an Electoral Roll (or Register). This is a list of all eligible registered voters residing in the UK. This list is divided into three types: the full, public register; the edited version; and the “opt-out” version.

From the Information Commissioner’s Office:

The full register is published once a year and is updated every month. It is used by electoral registration officers and returning officers across the country for purposes related to elections and referendums. Political parties, MPs and public libraries may also have the full register.

Regular folks going about their business can’t access the full version. The edited version of the register works as follows:

The open register, also called the edited register, contains the same information as the full register but is not used for elections or referendums. It is updated and published every month and can be sold to any person, organisation or company for a wide range of purposes. It is used by businesses and charities for checking names and address details; users of the register include direct marketing firms and also online directory firms.

This is one way that people end up on marketing lists, or “find a phone number/person” type websites. It’s the kind of data you’d occasionally find up for grabs on CD-ROMs.

The “opt-out” version of the register omits your details from this list. You used to have to manually opt out every time you updated your details, but these days your selection stays the same unless you specifically decide to alter it.

What has been compromised?

The Electoral Commision has this to say regarding the attack:

The Electoral Commission has been the subject of a complex cyber-attack, it has announced today, highlighting that the UK’s democratic process and its institutions remain a target for hostile actors online.

The incident was identified in October 2022 after suspicious activity was detected on the regulator’s systems. It became clear that hostile actors had first accessed the systems in August 2021. The Commission has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.

As part of the attack, hostile actors were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.

How serious is this breach?

A full FAQ is available, but I would draw attention to this comment from the Electoral Commission:

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

People on the opt-out version of the register may be unsure if this actually means their data is included in that which was available to the attackers. From the FAQ:

Please note, the addresses of those on the open register are already publicly available. The addresses of those who opt out of the open register, are not made publicly available, but were accessible during this cyber-attack.

While using the opt-out is by no means a magic solution to the perils of real world unpleasantness, it does help. Many at-risk or vulnerable people use it as a quick and easy way to prevent (for example) abusive ex-partners from tracking them down.

Knowing that their data is included in the pile is likely to be somewhat unsettling.

There is a way to be fully anonymous where voting registration is concerned. However, the process can be complex and off-putting. It requires items like court documents or attestations from authorised individuals to support the application. In other words, you may need to request that police officers come to your home and then explain your situation with evidence to back up your claims.

If the application is granted, you’ll be fully anonymous. The Electoral Commission does point out that anonymised individuals are not impacted by this breach, but this will be scant consolation to those who didn’t receive approval, or did not know the option existed.

For now, no additional details are forthcoming. There’s not much anyone can do with regard to the data exposure at this point. We just have to hope that those responsible aren’t in the mood for throwing everything online. So far, there’s no evidence that anyone has made use of the data in this way specifically. As for anything else, we’ll have to wait and see.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.