Massive Breach Of British Voter Data

Uploaded on 2023-08-11 in FREE TO VIEW, GOVERNMENT-National

Cyber hackers have obtained the details of tens of millions of British voters in a complex cyber attack on the Electoral Commission that went undetected for more than a year and Russian hackers are suspected to be the attacks.

The UK's elections checker the Electoral Commission has revealed it has been the victim of a "complex cyber-attack" affecting millions of voters.

“Both Police Service of Northern Ireland (PSNI) and the Electoral Commission cases are reminders of the massive importance of proper data controls. The Electoral Commission case shows that hostile actors, likely to be an as yet unknown nation state, will target the infrastructure of our democratic processes and the data of our population at scale,” says Phil Mason CEO of CyberCX UK operations, which is Australia’s largest independent cyber security services company.

“As such, all owners of critical datasets and important infrastructure in our public life need to be alert to the risks and have the ability to detect and manage anomalous activity in real time.”

“Meanwhile, the PSNI leak, while accidental and not a cyber security incident per se, is a stark reminder that when you have sensitive datasets you need expert and well managed procedures to avoid this sort of very serious accident.”

“However, it is also important to understand risk and harm. While the Electoral Commission breach sounds extraordinarily bad on the face of it, with deeply concerning intent, there are two saving graces.

“First, the electoral system is dispersed and voting is manual, so it’s very hard to cyber-attack a British election.

“Secondly, most - if not all - of the data is already public or purchasable.

“So it is important to not overreact. On the other hand, given the security situation in Northern Ireland, it is absolutely right that PSNI leadership are taking steps to ensure officers understand and get all the support necessary to manage the heightened risk’, says Phil Mason.

And the UK’s Electoral Commission has warned that hostile actors have accessed voter data, including names and addresses, belonging to anyone registered to vote in elections between 2014 and 2022.

The attackers gained access to full names, addresses, and the date on which a person achieves voting age, which is 18 for UK parliamentary elections.

The Commission said "hostile actors" had managed to gain access to copies of the electoral registers with the names and addresses of 40 million registered voters were accessible as far back as 2021 after cyber-attack.

Hackers also broke into its emails and "control systems" but the attack was not discovered until October last year.

“The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.”

“During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers,” the Commission has published.

The attackers were able to access full copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations.

These registers include the name and address of anyone in the UK who was registered to vote between 2014 and 2022. The commission’s email system was also accessible during the attack.

People have been warned to watch out for unauthorised use of their data.

In a public notice, the commission said hackers accessed copies of the registers it was holding for research purposes, and for conducting checks on political donors.

The watchdog said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.

This includes those who opted to keep their details off the open register - which is not accessible to the public but can be purchased, for example by credit reference agencies.

The data accessed also included the names, but not the addresses - of overseas voters, it added.

However, the data of people who qualified to register anonymously - for safety or security reasons, was not accessed, the watchdog said.

The commission says it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people.

Sophisticated Attack

It added that the personal data held on its email servers was "unlikely to present a high risk to individuals," although information included in the body of an email or in an attachment could be vulnerable.

The personal data held on the registers - name and address - did not itself present a "high risk" to individuals, it added, although it is possible it could be combined with other public information to "identify and profile individuals".

It has not said when exactly the hackers' access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022.

Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers' access, examine the extent of the incident and put additional security measures in place.

Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added.

The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies.

The Information Commissioner's Office, which is responsible for data protection in the UK, said it was urgently investigating.

The Commission did not publicly disclose the data leak until 10 months after discovering the breach. This was because it needed to remove attacks and put security in place.

BBC:      Electoral Commission:      IT Pro:      The Guardian:      Bloomberg:      Financial Times:      The Telegraph:      Evening Standard

 

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

« Police Officers At Severe Risk As Personal Data Exposed
Embracing The Passwordless Future »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

NXP Semiconductors

NXP Semiconductors

NXP is a world leader in secure connectivity solutions for embedded applications and the Internet of Things.

Innotec Security

Innotec Security

Innotec Security is a Spanish company specializing in cybersecurity-as-a-service, cyber resilience and cyber risk management.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance combines insurance expertise with cybersecurity and data talent to deliver clear, effective solutions to protect you for the cyberrisks of today—and tomorrow.

Presidio

Presidio

Presidio is a leading North American IT solutions provider focused on Digital Infrastructure, Business Analytics, Cloud, Security & Emerging solutions.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

SEK Security Ecosystem Knowledge

SEK Security Ecosystem Knowledge

SEK helps companies in the complex path of cybersecurity; in the analysis, detection and prevention of digital threats.

GeoComply

GeoComply

GeoComply provides fraud prevention and cybersecurity solutions that detect location fraud and help verify a user's true digital identity.

Levio

Levio

Levio is a digital native business and technology consulting firm. As a true partner from start to finish, our goal is a long-lasting transformation that’s right for your business model.

Treacle Technologies

Treacle Technologies

Treacle Technologies are a Cyber Security startup with a focus on Defensive Security.

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.

IT.ie

IT.ie

IT.ie are a comprehensive provider of Managed IT Services, Cloud Solutions, Cyber Security, and proactive IT support services.