A series of cyberattacks on the Electoral Commission, in which the bad actor was not identified for over a year, resulted in the loss of millions of publicly accessible electoral registers.
The first breach occurring in August 2021 was only pinpointed in October 2022 after severe oversight to uncover the data breaches and failings to report to the public on the data mishandling. Recently, the Commission released a statement admitting that events two years old had undermined and significantly impacted confidence in the UK’s electoral watchdog.
Several national news outlets have reported the announcement which Shaun McNally, the Electoral Commission Chief Executive, admitted was “nevertheless” a ” successful attack on the Electoral Commission” which should be a lesson in the Commission being more “vigilant” in future to the “risks to processes around our elections”.
Shaun McNally also reasoned that elections have become a “target” to cyber criminals who deliberately compromise personal data to undermine a democratic and free electoral process. The electoral system is a “target” for these individuals wanting to engineer the party which gets into government and has power over influencing society’s biggest problems.
The cyber attacks even compromised data that is primarily stored in a paper-based documentation system.
In 2018, new rules were proposed to hold penalties against European political parties that tamper with personal voters’ data to influence elections to the European Parliament – one motive often considered for breaches – however the commission confirmed it had disregarded this line of enquiry.
The statement read: “We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”
A conclusive or ballpark figure of the data stolen, which were “reference copies” of registers being used for research purposes, was not disclosed by the Commission amid calls to identify the source of the attack. The attack also attempted to takeover control systems and penetrate the commission’s email system.
Urgent investigations now will try to establish with some urgency how users registered between 2014-2022 were let down by the electoral commission, with alerted authorities, the Information Commissioner’s Office (ICO) and National Crime Agency, likely to be in a tailspin too to manage the damage to reputations.
Data breaches have been on a steady rise and prompted questions around data protection efforts within the police, healthcare, financial services, social media and other sectors. In Northern Ireland, a serious data breach of police staff is being investigated while other sufferers so for in 2023 have included: Nashville hospital operator, Twitter and Progress Corp.