Intrusion enabled unauthorised access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes.
The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people.
"The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said. "It became clear that hostile actors had first accessed the systems in August 2021."
The intrusion enabled unauthorised access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes. The identity of the intruders are presently unknown.
The registers included the name and address of anyone in the U.K. who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. However, they did not contain information of those who qualified to register anonymously and addresses of overseas electors registered outside of the U.K.
The details exposed as a result of the cyber incident are as follows:
Name, first name, and surname
Email addresses (personal and/or business)
Home address if included in a webform or email
Contact telephone number (personal and/or business)
Content of the webform and email that may contain personal data
Any personal images sent to the Commission.
Home address in register entries
Date on which a person achieves voting age that year
It's not clear why the disclosure was delayed by another 10 months, but the Commission told the BBC and The Guardian that it was done to stop the adversary's access, investigate the extent of the breach, and enforce security guardrails.
The Commission also noted that the accessed data could be combined with other details that are already available in the public domain to "infer patterns of behaviour or to identify and profile individuals."
It also emphasised that the attack has no impact on the electoral process or electoral registration status, and that the data held in its email servers is unlikely to pose a risk to people unless any sensitive information was shared in those messages.
"Anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorised use or release of their personal data," the watchdog said, adding it has put in place mitigations to secure against future attacks.
Article originated in The Hacker News
ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – ISOnews713@gmail.com and the content will be deleted within 24 hours.