Electoral Commission subject to cyber-attack

Issued by the Electoral Commission

The Electoral Commission has been the subject of a complex cyber-attack, it has announced today, highlighting that the UK’s democratic process and its institutions remain a target for hostile actors online.

The incident was identified in October 2022 after suspicious activity was detected on the regulator’s systems. It became clear that hostile actors had first accessed the systems in August 2021. The Commission has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.

Shaun McNally, the Electoral Commission Chief Executive, said:

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.

“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems."

As part of the attack, hostile actors were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack. 

Shaun McNally continued:

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

Electoral registers are held and maintained by individual Electoral Registration Officers for each local authority area, but the Commission is one of a number of organisations which has copies to support it in fulfilling its role in the democratic process.

In line with requirements under the law, the Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying that data on its systems may have been accessed, and has today published a formal notification. The ICO is currently investigating the incident.

Ends

For more information contact the Electoral Commission press office on 020 7271 0704, out of office hours 07789 920 414 or press@electoralcommission.org.uk (Opens in new window)

Notes to editors

  1. The Electoral Commission is the independent body which oversees elections and regulates political finance in the UK. We work to promote public confidence in the democratic process and ensure its integrity by:
    • enabling the delivery of free and fair elections and referendums, focusing on the needs of electors and addressing the changing environment to ensure every vote remains secure and accessible
    • regulating political finance – taking proactive steps to increase transparency, ensure compliance and pursue breaches
    • using our expertise to make and advocate for changes to our democracy, aiming to improve fairness, transparency and efficiency

The Commission was set up in 2000 and reports to the UK and Scottish Parliaments, and the Senedd.

  1. The Commission has published a public notification on its website today, alerting people to the data breach and setting out the data which was accessible.
  2. In addition to data held on the electoral registers, any details provided to the Commission via email or through the ‘contact us online’ function on its website between August 2021 and October 2022 was accessible to the cyber attackers.
  3. There is no indication that information accessed during this cyber-attack has been copied, removed or published online.
  4. The Electoral Commission is required by law to hold electoral registers and uses them for research and regulatory purposes, such as checking the permissibility of donors to political parties.
  5. Any questions regarding the Information Commissioner’s Office (ICO) investigation into the breach, should be addressed to the ICO press team.
8 Aug 2023