Receive free The Electoral Commission updates

We’ll send you a myFT Daily Digest email rounding up the latest The Electoral Commission news every morning.

Hackers obtained the details of tens of millions of British voters in a “complex cyber attack” on the UK’s Electoral Commission that went undetected for more than a year, the elections watchdog admitted on Tuesday.

The body said “hostile actors” first breached its network in August 2021, gaining access to its file-sharing and email systems, and obtaining copies of the electoral register. However, “suspicious activity” was not identified until last October.

“We do not know who is responsible for the attack,” the commission said, adding that no groups or individuals had claimed the hack.

The registers that were breached included the name, home address and date on which a person reached voting age of all those who registered for a ballot between 2014 and 2022, as well as details of overseas voters. The data of people who registered for a vote anonymously was not accessed.

The commission said it was “difficult to accurately predict a figure” for how many people’s data had been affected but it estimates each year’s register holds the details of “around 40mn individuals”.

“We understand the concern this attack may cause and apologise to those affected,” the commission said. “We regret that sufficient protections were not in place to prevent this cyber attack.”

It insisted there was little risk of the hackers being able to influence the outcome of a vote or impersonate individual voters, adding: “There has been no impact on the security of UK elections.”

However, the watchdog warned that Britons who were potentially affected should remain “vigilant for unauthorised use or release” of their personal details. The data could be matched to other information in the public domain and used to “infer patterns of behaviour or to identify and profile” people, it added.

Shaun McNally, Electoral Commission chief executive, said the attack “highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections”.

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,” he added. “This means it would be very hard to use a cyber attack to influence the process.”

UK elections are administered by local authorities but the commission said that it had held “reference copies” of the electoral register for research purposes and to enable permissibility checks on political donations.

The hackers also had access to the commission’s email system and “control systems”, the watchdog said. This meant the email addresses and phone numbers of people who corresponded with the commission may have been taken.

The watchdog reported the breach to the National Cyber Security Centre, a branch of signals intelligence agency GCHQ that advises UK companies on combating cyber crime, and the Information Commissioner’s Office, the data protection regulator. Security specialists have since been brought in to investigate and secure the commission’s systems, it said.

However, the commission did not publicly disclose the data leak until some 10 months after discovering the breach. This was because it needed to “remove the [hostile] actors and their access to our system”, assess damage and put in place “additional security measures”, it said.

The ICO said it was “investigating as a matter of urgency”.

The UK public sector has suffered a series of cyber security incidents this year. Several local and national organisations were caught up in March’s ransomware attack on outsourcing group Capita, while others were affected by June’s wide-ranging hacking spree by the Russian-speaking Clop gang, which exploited a vulnerability in the MOVEit file transfer service.

Mark O’Neill, an IT consultant with more than 20 years of experience working on UK government technology, said the Electoral Commission hack looked like a “classic opportunistic” cyber attack and that the stolen data appeared to be “more akin to the classic telephone directory than a gold mine of sensitive information”. 

“The open register is available for anyone to browse simply by going to the library,” said O’Neill. “This is not a threat to democracy, but a reminder to build systems in a way that limits unnecessary access.”