UK voter data exposed for over a year in attack on Electoral Commission

The UK’s Electoral Commission has been the subject of an online attack that may have exposed the names and addresses of voters, as well as the Commission’s email system and unspecified other systems.

In a public notice on its site, the Commission said that the intrusion was identified in October 2022, after suspicious activity was detected on its systems, but that it was clear that the attackers had first accessed those systems more than a year earlier, in August 2021.

As a consequence of its systems being penetrated, the attackers had access to the servers that host the Commission’s email, control systems, and copies of the electoral registers covering the entire country.

The Commission told The Register in an email today that it is “Currently under investigation by the Information Commissioner’s Office” and “Cannot release any information that could compromise their investigation.” It did note that the cyber-attack “Included access to the Commission’s Exchange server, which holds our email system. This means that anyone who has contacted the Electoral Commission via email or through the webform on our website, will have provided data that was accessible as part of this attack.”

“Email is like the keys to the digital kingdom,” Woodward told us, saying that it could potentially have given away a lot of information about the Electoral Commission and the way it works, and enable the attackers to target election officials.

“What remains more worrying is that the attack went undiscovered for 15 months and yet the authorities were not alerted of any abnormalities on their systems in that time. Cybercriminals work best in stealth mode but rarely are they undetected for this length of time,” said Jake Moore, Global Cybersecurity Advisor for security outfit ESET. The Electoral Commission declined to provide information on whether it knew how many times its systems had been accessed during the 15-month period, if there was any evidence that its email system had been accessed in any way, and what the control systems are that the attackers supposedly had access to.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

Tell us About your Needs
Get an Answer the Same Business Day

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

What happens next:

A Vumetric expert will contact you to learn more about your cybersecurity needs and goals.

The project's scope will be defined (Target environment, deadlines, requirements, etc.)

A detailed quote including all-inclusive pricing and statement of work is sent to you.

This field is for validation purposes and should be left unchanged.


Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.


Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g:,, etc.)

This site is registered on as a development site. Switch to a production site key to remove this banner.