The UK Electoral Commission revealed this week that hackers had infiltrated its voting infrastructure, resulting in a data breach affecting over 40 million voters.
What’s troubling is the severity of the breach and how long it took before it was discovered. Perpetrated back in August 2021, the large-scale breach remained undiscovered for over a year.
It was finally uncovered in October 2022, but only released to the public this week. The Electoral Commission cites its duty to Articles 33 and 34 of the UK General Data Protection Regulation (GDPR) to reveal this information.
The leaked data includes private information, including email addresses, phone numbers, full names, home addresses, ages, and even identifiable pictures of users. Some, but not all, of this information was already available in the public domain.
Hackers managed to access reference copies of the electoral registers, claims the report made by the Electoral Commission.
“The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters,” it reads.
Fortunately, those who registered to vote anonymously didn’t have visible data to take.
The Information Commissioner’s Office reviewed the severity of the breach and stated that the leaked information “does not in itself present a high risk to individuals,” however, when combined with other information in the public domain, it could present higher risks.
That said, it has stated that no immediate actions need to be taken by anyone affected by the breach, and much of the information that was leaked was already available to the public domain.
“We have taken steps to secure our systems against future attacks and improved our protections around personal data,” states the Electoral Commission.
No information about how the attack was accomplished was revealed in their report.