The UK Electoral Commission today confirmed a hack of its systems that took place a year ago. According to the information provided, attackers gained access to the commission's systems in August 2021, but the malicious activity was not detected until October 2022.
As a result of the attack, the hackers gained access to data including the names and addresses of voters who registered to vote in the UK between 2014 and 2022, as well as the names of those registered as overseas voters. The commission did not give the exact number of people affected.
During the attack, the attackers also gained access to the commission's emails, management system and copies of electoral registers. The copies were used "for research purposes and to check the admissibility of donations to political parties," according to the commission.
The commission said the data leak did not affect the electoral process and did not affect citizens' rights to participate in democratic elections.
UK data protection laws require organizations to notify the public of hacks as a matter of urgency. The commission said it discovered the incident in October 2022, nine months ago. Under the law, delayed notification risks a fine of up to £8.7 million ($11.1 million) or 2% of a company's global turnover.
The commission said it decided to notify the incident because of the "large amount of personal data that was potentially viewed or seized" during the cyberattack. However, the commission did not specify whether the attackers were motivated by a desire to gather intelligence or financial interests.
The commission is actively working with the National Cyber Security Center (NCSC), which is providing expertise and advice on how to restore systems. The Information Commissioner's Office (ICO) has also joined the investigation into the incident and promises to provide findings promptly.