The UK’s Electoral Commission has been the subject of an online attack that may have exposed the names and addresses of voters, as well as the Commission’s email system and unspecified other systems.
In a public notice on its site, the Commission said that the intrusion was identified in October 2022, after suspicious activity was detected on its systems, but that it was clear that the attackers had first accessed those systems more than a year earlier, in August 2021.
As a consequence of its systems being penetrated, the attackers had access to the servers that host the Commission’s email, control systems, and copies of the electoral registers covering the entire country.
The Commission told The Register in an email today that it is “Currently under investigation by the Information Commissioner’s Office” and “Cannot release any information that could compromise their investigation.” It did note that the cyber-attack “Included access to the Commission’s Exchange server, which holds our email system. This means that anyone who has contacted the Electoral Commission via email or through the webform on our website, will have provided data that was accessible as part of this attack.”
“Email is like the keys to the digital kingdom,” Woodward told us, saying that it could potentially have given away a lot of information about the Electoral Commission and the way it works, and enable the attackers to target election officials.
“What remains more worrying is that the attack went undiscovered for 15 months and yet the authorities were not alerted of any abnormalities on their systems in that time. Cybercriminals work best in stealth mode but rarely are they undetected for this length of time,” said Jake Moore, Global Cybersecurity Advisor for security outfit ESET. The Electoral Commission declined to provide information on whether it knew how many times its systems had been accessed during the 15-month period, if there was any evidence that its email system had been accessed in any way, and what the control systems are that the attackers supposedly had access to.
