The data of 40 million voters has likely been exposed by Chinese-linked hackers after basic IT security failings allowed them to break into servers, a watchdog finds.
An inquiry by the Information Commissioner’s Office (ICO) unearthed that the Electoral Commission had failed to keep its servers up to date, meaning hackers were able to take advantage of it’s tech weaknesses.
The attackers were also able to access reference copies of the registers held for research purposes and for permissibility checks on political donations.
The registers included the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as registered overseas voters.
The attack on the Electoral Commission also compromised its file sharing and email system, allowing access to the online addresses and data of anyone who messaged its staff.
The data of 40 million voters has likely been exposed by Chinese-linked hackers after basic IT security failings allowed them to break into servers according to a watchdog investigation (stock image)
An inquiry by the Information Commissioner’s Office (ICO) unearthed that the Electoral Commission had failed to keep its servers up to date, meaning hackers could take advantage of tech vulnerabilities (pictured: an aerial view of the GCHQ)
The National Cyber Security Centre (NCSC), part of GCHQ, previously believed it was likely Beijing-affiliated hackers stole hoards of the data.
The hackers broke into the systems in August 2021 but the security breach was not discovered until October 2022.
The commission said the attack had ‘used a sophisticated infiltration method, intended to evade our checks’, which was why it had taken so long to detect.
Security patches for the tech vulnerabilities had been released in April and May 2021 – months before the attack – but weren’t installed.
Officials decided to delay informing the public while they removed the hackers and put additional security in place.
The data watchdog issued a formal reprimand to the Electoral Commission, which has already put in place a series of steps to better its security.
Stephen Bonner, deputy commissioner at the ICO, said: ‘If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.
‘By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.
‘I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year.
‘I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach.’
This comes after ex-Deputy Prime Minister Oliver Dowden formally blamed state-linked Chinese hacking groups for the cyber-attack on the commission in March.
Mr Dowden said there was a ‘clear pattern of activity’ from China, identifying the group known as APT31 as involved.
The National Cyber Security Centre (NCSC), part of GCHQ , previously believed it was likely Beijing-affiliated hackers stole hoards of the data (pictured: outside the Electoral Commission)
Ex-Deputy Prime Minister Oliver Dowden (pictured) formally blamed state-linked Chinese hacking groups for the cyber-attack on the commission in March
He said two individuals and an ‘entity’ linked to APT31 were being sanctioned, and the Chinese ambassador had been summoned at the time.
Intelligence agencies believed the data accessed from the electoral register ‘would highly likely be used’ by Chinese spies for purposes, including large-scale espionage and the repression of perceived dissidents and critics in the UK.
An Electoral Commission spokesman said: ‘We regret that sufficient protections were not in place to prevent the cyber attack on the commission.
‘As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area.’
