LONDON — The U.K.’s election watchdog, the Electoral Commission, has announced that it was the subject of a complex cyberattack last year in which its systems were accessed by “hostile actors.”
Personal data including names, addresses, email addresses, and other data held on electoral registers were compromised during the attack, the Electoral Commission revealed on Tuesday.
It is not currently aware of who was responsible for the attack.
The incident was first identified in October 2022 following the detection of suspicious activity, and a subsequent investigation found that hostile actors had first accessed the watchdog’s systems in August 2021.
“During the cyberattack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers,” the Electoral Commission explained in a blog post.
The body said it didn’t know how the affected data might be used, but cited the Information Commissioner’s Office (ICO) risk assessment framework as indicating that the compromising of personal data held on electoral registers, such as name and address, does not in itself present a high risk to individuals.
However, it said the data “could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.”
“The attack has not had an impact on the electoral process,” the Commission added.
Explaining the delay in the announcement of the incident, the body explained that in addition to removing the actors from the system and assessing the scale of the incident, it had “to liaise with the National Cyber Security Centre and the Information Commissioner’s Office. We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future.”