Massive Data Breach Exposes UK Voter Information

The UK Electoral Commission has revealed a significant data breach that has exposed the personal information of individuals who registered to vote in the United Kingdom from 2014 to 2022.

This disclosure comes ten months after the Commission initially detected the breach and two years after the breach initially occurred. The delayed reporting of the incident to the public has raised questions about the reasons behind the extended timeframe.

In the “public notification of cyber-attack,” the Commission states that they first identified the attack in October 2022. However, it has since been discovered that threat actors breached their systems much earlier, in August 2021.

During the cyberattack, the threat actors gained unauthorized access to the government agency’s servers, which contained its email system, control systems, and copies of electoral registers.

The data breach notification warns that the threat actors were able to access reference copies of the electoral registers, which the Commission uses for research purposes and permissibility checks on political donations.

The registers compromised during the cyberattack included the names and addresses of individuals in the UK who registered to vote between 2014 and 2022, as well as the names of overseas voters.

It is important to note that the exposed election registers did not contain the personal information of individuals who registered anonymously.

Exposed Voter Information

  • Personal data contained in the Commission’s email system:
    • Name, first name, and surname
    • Email addresses (personal and/or business)
    • Home address if included in a webform or email
    • Contact telephone number (personal and/or business)
    • Content of the webform and email that may contain personal data
    • Any personal images sent to the Commission
  • Personal data contained in Electoral Register entries:
    • Name, first name, and surname
    • Home address in register entries
    • Date on which a person achieves voting age that year

During the attack, the threat actors also had access to the Commission’s email server, exposing internal and external communications involving the agency.

The Commission emphasizes that the cyberattack did not impact any elections or individuals’ voter registration.

While the agency downplays the severity of the attack, stating that no voter registration was modified and that “much of it is already in the public domain,” it is essential to recognize that in the UK open register, only a voter’s name and address are publicly available. The exposed information, such as phone numbers and email addresses, can be valuable to threat actors for targeted phishing attacks and identity theft.

Therefore, all UK voters should remain vigilant against targeted phishing emails that attempt to gather further sensitive information, such as passwords, account numbers, or financial details.

If you receive suspicious emails, refrain from clicking on any links. Instead, contact the alleged organization via phone to confirm the email’s authenticity.

Leave a Reply

Your email address will not be published. Required fields are marked *