UK Electoral Commission breach: How serious was it?

The UK’s Electoral Commission has announced a massive data breach involving personal data about nearly everyone in the UK. But the Commission claims that much of the information was publicly available. So how concerned should we be?

What happened?

The Electoral Commission announced its data breach on 8 August 2023.

The incident involved data about almost every person in Great Britain who was registered to vote between 2014 and 2022, and almost everyone in Northern Ireland who was registered to vote in 2018—likely around 40 million people in total.

The Commission reported that it had discovered, in October 2022, that malicious actors had gained access to its systems in August 2021.

As such, the breach took place for a period of around 14 months, and the Commission notified the public around 10 months later.

Why did the Commission announce the data breach so late?

The UK General Data Protection Regulation (GDPR) requires controllers to notify the Information Commissioner’s Office (ICO) of data breaches, “without undue delay” and within 72 hours if the breach poses a risk to data subjects’ (people’s) “rights and freedoms”.

The Electoral Commission says that it reported the breach to the ICO within this 72-hour timeframe.

Controllers only need to notify the data subjects affected by a data breach if the incident causes a “high risk” to people’s rights and freedoms. There’s no 72-hour deadline for notifying data subjects, but the controller should still make the notification “without undue delay”.

The Commission claims that the breach did not meet this “high risk” threshold. However, the Commission’s statement does not explain why it nonetheless decided to announce the data breach publicly, or why waited around 10 before doing so.

Who is responsible for the attack?

The Electoral Commission has not disclosed who conducted the attack on its systems, or even whether it has determined who the attackers were.

Investigations involving the ICO and the UK National Cyber Security Centre (NCSC) are underway. It’s possible that revealing knowledge of the attackers’ identities could compromise these ongoing investigations.

According to media reports, the attackers exploited an unpatched vulnerability in Microsoft Exchange to gain access to the Commission’s servers.

What data was compromised?

The Electoral Commission has published details of the types of data to which the attackers had access, but has not said what data, if any, was exfiltrated by the hackers.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed,” the Electoral Commission’s chief executive, Shaun McNally, said in a statement on the Commission’s website.

The attackers would have had access to the following sources of personal data:

• The open electoral register
• The full electoral register
• The Electoral Commission’s email systems

Registers containing details of anonymous or overseas voters were reportedly unaffected by the breach.

What is the open electoral register?

The open electoral register (sometimes called the “edited register”) contains the full name of almost every person registered to vote in the UK, plus their home address, and, where relevant, the date on which a person becomes eligible to vote in a given year.

The open register is available for purchase by anyone in the UK, in electronic or paper format. For example, Glasgow City Council sells copies of the open register for £20, plus £1.50 for each 1,000 entries.

Voters can opt out of the open register; in which case they will only appear on the full electoral register.

Some people can also register to vote anonymously, in which case they will appear on neither the full nor the open register.

What is the full electoral register?

The full electoral register includes the details of every registered UK voter (their full names and addresses, and, in some cases, information that reveals their age), including those who have opted out of the open electoral register—except anonymous voters.

Like the open register, the full register is publicly accessible—but only to an extent.

Local “electoral registration officers” hold copies of the full register that are available to view, often in libraries. Members of the public can access the full register—under supervision—to see who is registered to vote in the local area.

“There are strict rules on who has access to the full register and on what use can be made of the data contained within it,” a House of Commons research briefing says. “A breach of the rules is an offence.”

Certain organizations are entitled to a free copy of the full register, such as campaigning political parties, the police, and—of course—the Electoral Commission. Credit reference agencies can also purchase a copy of the open register for certain purposes.

What data was accessible via the Commission’s email systems?

As noted, the attackers had access to the Electoral Commission’s email systems throughout the 14-month period of the breach.

The Commission states that any information it received via emails and webforms was accessible to the attackers.

The information the Commission received via email includes the obvious types of data (email addresses, phone numbers, and names), and could also include more sensitive data—depending on what people have emailed to the Electoral Commission.

Is any of this data particularly sensitive?

As noted, the Electoral Commission says that the data breach does not pose a high risk to data subjects.

“According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on the electoral registers does not in itself present a high risk to individuals,” a statement on the Commission’s website says.

This is partly due to the nature of the personal data involved, which was mostly names and addresses, and partly due to the public accessibility of much of the data.

The exception is the information stored in the Commission’s email servers, much of which was presumably not publicly accessible, and some of which could be more sensitive.

However, even though the open register and the full register are both publicly accessible, this element of the breach could still have serious implications.

Why does it matter if publicly accessible data was stolen?

The UK GDPR still applies to publicly accessible data, meaning that the Electoral Commission was legally obliged to apply appropriate safeguards to keep the data secure.

Most notably, the full register includes details about people who opted out of the open register. While information about those people was still publicly accessible, access is tightly controlled and only allowed for certain purposes.

If a malicious actor obtained the full register, they would have free and possibly anonymous access to the names and addresses of people who took the necessary steps to opt out of the full register (and might have had a compelling reason to do so).

The open register is less closely protected and can be purchased and used for any legitimate purpose. However, it might be possible to trace the people who have purchased or requested access to the open register.

A malicious actor having free access to the entire register could have more serious implications than the strictly controlled access that normally applied.

There’s a lesson here regarding publicly accessible data—which is normally made public in a specific context. Risks can arise when that information is accessed by different people, in different ways, and in other contexts.

But until we know more about the nature of the attackers and the reasons for the attack, it’s hard to know the full effects of this huge data breach.