A cyber attack targeting the UK’s Electoral Commission, which resulted in the exposure of data belonging to 40 million voters over two years, is believed to have been orchestrated by Russia.
This breach was initially detected in October 2022 after identifying suspicious activities. Subsequent investigation revealed that the attackers had gained unauthorized access in August 2021.
Electoral Commission CEO Shaun McNally expressed regret that adequate safeguards were not in place to thwart this cyber assault. Upon identification, significant measures were undertaken, supported by experts, to fortify the security, resilience, and dependability of their IT systems.
The perpetrators managed to infiltrate reference copies of electoral registers maintained by the Commission for research and legitimacy assessment of political contributions. This trove of data encompassed the names and addresses of all individuals registered to vote in the UK between 2014 and 2022, along with names of overseas voters. The Commission’s email infrastructure was also accessible during this attack.
The fact that the attackers maintained their presence within the systems for an extended duration without making any demands implies that this was likely a nation-state operation rather than a straightforward extortion attempt. Notably, Sir David Omand, a former director of the intelligence agency GCHQ, singled out Russia as the primary suspect.
McNally highlighted the dispersed and paper-dependent aspects of the UK’s democratic process, which would make it challenging for a cyber attack to have a direct influence. However, the data still holds value for a hostile nation-state. Brad Freeman, the director of technology at cybersecurity company SenseOn, emphasized that while the electoral roll itself might not be directly exploited to compromise democracy, extensive databases are valuable for information aggregation by nation-states, enabling the construction of comprehensive profiles of a nation and its citizens.
Moreover, this breach underscores the broader issue of government IT security. Government IT systems often exist in a fragmented state, with each department independently developing and managing their systems. While this promotes innovation and online accessibility, it can also lead to discrepancies in security standards, elevating the overall risk profile.