The Electoral Commission statement said the body had coordinated with the British National Cyber Security Center and external security experts to test and safeguard its systems.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected,” Shaun McNally, the agency’s chief executive, said in the statement. The commission did not respond immediately to a request for comment.
Accessed data included the commission’s email system and reference copies of the electoral registers, which at the time contained the names and addresses of everyone in the country who registered to vote between 2014 and 2022, as well as names of voters registered overseas. (Britain allows some voters to register anonymously for safety reasons, and authorities said that information was not affected by the hack.)
McNally emphasized that the country’s democratic process is “significantly dispersed,” with heavy reliance on paper documentation and counting. “This means it would be very hard to use a cyber-attack to influence the process,” he said.
It is not possible to conclusively identify which files may have been accessed, McNally continued. The Information Commissioner’s Office was notified within 72 hours of spotting the hack and is investigating the incident.
Last week, the National Cyber Security Center, or NCSC, alongside agencies in the United States, Australia, Canada and New Zealand, issued a “fresh warning” to organizations on the need to update systems after cyberattacks in 2022 that focused on vulnerabilities found in outdated software.
The NCSC said on its website that it did not know who was responsible for the attack and that no one had asserted responsibility. The agency said the names and addresses potentially revealed to the hackers are not sufficient on their own to pose a high risk.
“It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals,” it said.
The agency kept the hack from the public this long, it said, to first remove the hostile actors, assess the extent of the incident and put in place additional security measures.
The U.S. Cybersecurity and Infrastructure Security Agency, which aids U.S. state and local election authorities, did not immediately respond to a request for comment about whether it had been asked to assist in the matter.
Joseph Menn contributed to this report.
#Hostile #actors #hacked #U.K #voter #registry #electoral #agency
