Millions of UK Voters' Data Accessible In Cyber Attack

The UK's Electoral Commission revealed that a cyber attack granted access to the data of 40 million voters. It went unnoticed for a year and was not disclosed to the public for an additional 10 months. The Guardian reports: The Electoral Commission apologized for the security breach in which the names and addresses of all voters registered between 2014 and 2022 were open to "hostile actors" as far back as August 2021. The attack was discovered last October and reported within 72 hours to the Information Commissioner's Office (ICO), as well as the National Crime Agency. However, the public has only now been informed that the electoral registers containing the data of millions of voters may have been accessible throughout that time.

The Electoral Commission said it was "not able to know conclusively" what information had been accessed. It is not known whether the attackers were linked to a hostile state, such as Russia, or a criminal cyber gang. The watchdog said "much of the data" was already in the public domain and insisted it would be difficult for anyone to influence the outcome of the UK's largely paper-based electoral system, but it acknowledged that voters would still be concerned.

The attackers were able to access full copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations. These registers include the name and address of anyone in the UK who was registered to vote between 2014 and 2022. The commission's email system was also accessible during the attack. The full register held by the Electoral Commission contains name and address data that can be inspected by the public but only locally through electoral registration officers, with only handwritten notes allowed. The information is not permitted to be used for commercial or marketing purposes. The data of anonymous voters whose details are private for safety reasons and the addresses of overseas voters were not accessible to the intruders in the IT system. A spokesperson for the ICO, the UK's independent regulator on data protection, said: "The Electoral Commission has contacted us regarding this incident and we are currently making inquiries."

They added: "We recognize this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency. In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support."

Data minimization/tokenization?

[ctilsie242]

What ever happened to the concept of data minimization/tokenization?

For example, if I needed to store information about voter rolls, I'd have their name, perhaps an ID number, and a checkbox that they have been validated as a voter, and if they have voted in an election. This way, when it times for polling, there is enough info to tell that a voter is legit... but other than the info required to vet a voter, give them a ballot, nothing else is required.

This would be similar to tokenizing credit card transactions, so a merchant has the ability to work with those, but nobody can glean the actual credit card numbers for use for fraud.

In any case, the info does need protected... this doesn't give a license to be insecure, but it reduces the damage done when a breach happens.

Re:

[AmiMoJo]

The way the register works in the UK is that periodically the local council sends you a letter asking who lives there who is eligible to vote. You write down their names and confirm their eligibility (with penalties for lying), and of course they already have your address.

When you go to vote they ask for your name and address, find it on a printed copy of the register, and cross it off. That prevents people who only have one or the other bits of information from impersonating you, and if someone has both an

Re:

[jonbryce]

The way voters are validated is that they print out a list of all the eligible voters in the precinct, and when you go to pick up your ballot paper, they cross your name off the list.

It is a very manual, paper-based process.

Re:

[mjwx]

What ever happened to the concept of data minimization/tokenization?

For example, if I needed to store information about voter rolls, I'd have their name, perhaps an ID number, and a checkbox that they have been validated as a voter, and if they have voted in an election. This way, when it times for polling, there is enough info to tell that a voter is legit... but other than the info required to vet a voter, give them a ballot, nothing else is required.

This would be similar to tokenizing credit card transactions, so a merchant has the ability to work with those, but nobody can glean the actual credit card numbers for use for fraud.

In any case, the info does need protected... this doesn't give a license to be insecure, but it reduces the damage done when a breach happens.

In short, the Tories. In long form, the continual cuts to the public service, demonisation of civil servants, continual low wages driving any talent away from the public service and the continual undermining of job security in the public service over the last 15 years of conservative government. Basically an underfunded public service has had it's only two redeeming points removed, public service has always paid less than the private sector but in exchange you had a low stress job and a job for life (if on

Re:

[pjt33]

Name and address is minimal. They need the address to send you a ballot information card which tells you where your polling station is (and which you can optionally take along when you vote, because it might be easier for the poll workers to find you on the register if they see your information in writing).

Re:

[coofercat]

Agreed - there some be a lot of compartmentalisation so that any breach is maybe one county or a town or something, rather than the whole damn thing. They should be a *lot* more accountable for it too - there should be some very public explanations and notifications of this sort of thing. GDPR doesn't apply to the government, but they should be operating to at least a similar level as it demands.

However, unlike most breaches, this one is a bit boring. My name, DoB and address are on umpteen different databa

The Doctor to the rescue?

[DrMrLordX]

Cyber attack? Must be the work of the Cybermen!

Hackerproof

[bugs2squash]

They don't normally lose information to hackers, it's generally left at a bus stop [bbc.com]or at a pub [ukdefencejournal.org.uk].

Re:

[VeryFluffyBunny]

Yes, this bit caught my eye: "The data of anonymous voters whose details are private for safety reasons and the addresses of overseas voters were not accessible to the intruders in the IT system." - Copies of this data may be found on discarded DVD ROMs & USB drives on random London Regional Transport vehicles.

What was the nature of this “cyber attack&rd

[Mirnotoriety]

What was the nature of this “cyber attack”. Provide some technical details.

Re:What was the nature of this cyber attack

[laughingskeptic]

"Attack" may just be headline puffery. The ICO is just calling this an incident at this point. The idiots in charge at the Election Commission, just reported to the ICO yesterday after sitting on "something" reportable for 10 months. Could just be something like a public S3 bucket, or a database that was open for 8 years -- the equivalent of leaving DVD's on all of London's buses. They may have no idea how much this data was accessed.