TWO data breaches that defy belief: Details of more than 40 MILLION voters are exposed in a cyber attack on the electoral roll while the name of EVERY police officer in Northern Ireland is published in error
- Read more: Electoral Commission suffers cyber attack on electoral registers
More than 40million voters may have had their data stolen in the biggest data breach in UK history.
The Electoral Commission revealed yesterday that ‘hostile actors’ had access to its systems for 14 months without being detected. It meant the hackers may have obtained the name and address of nearly every voter in the country.
The commission admitted it still did not ‘know conclusively what files may or may not have been accessed’ and what data was downloaded or copied. The criminals were able to view electoral registers with the names and addresses of at least 40million people registered to vote between 2014 and 2022.
It came as police in Northern Ireland revealed they were also at the heart of a data breach ‘of monumental proportions’, in this case affecting thousands of officers and civilian staff. The data was mistakenly divulged in response to a freedom of information request.
The attack on the Electoral Commission also compromised its file sharing and email system, allowing access to the online addresses and data of anyone who messaged its staff. The National Cyber Security Centre, which is probing the incident, did not rule out the possibility of a foreign state attack.
The Electoral Commission has its headquarters located at 3 Bunhill Row in the City of London
Police Service of Northern Ireland (PSNI) Assistant Chief Constable Chris Todd speaks to media about a data breach involving officers and civilian staff
David Omand, a former GCHQ director, said Moscow was the prime suspect.
‘Russians, and I point to them in particular, have been interfering with democratic elections for some years now – think of the 2016 US election, and then the French election, and then the German election, even our own 2019 election,’ he said.
‘They have been trying to interfere with the democratic process. It is not at all surprising that hostile agencies would try and hack into the Electoral Commission.’
READ MORE: Russian hackers are blamed for massive cyber-attack affecting BBC, British Airways and Boots staff
Sir David told BBC Radio 4 he cited Russia because of the record of its military intelligence and civilian agents in interfering with Western elections.’
Yesterday the commission stressed the data accessed would not allow anyone to meddle in parliamentary or council elections by impersonating voters. It also said it was confident the hackers did not edit or change the electoral registers.
But MPs called for the National Cyber Security Centre and Parliament’s intelligence and security committee to investigate how the data was being used.
Tory MP Simon Fell, chairman of the all-party parliamentary group on cyber security, said: ‘Frankly this attack has put us all at risk. What is so deeply concerning is the volume and scale of this data breach. A lot of this information may be in the public domain elsewhere, but where it has real value to the people who may want to cause us harm is it is all in one place. It must be the biggest single data set breach in the UK. Given the scale and complexity of this, there are very few groups capable of such an attack, the usual suspects would be Russia, China, Iran and North Korea.
‘But it is Russia that has a history of interference in elections.’
The attackers were able to access reference copies of the registers held for research purposes and for permissibility checks on political donations.
The registers included the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as registered overseas voters.
Electoral Commission chief executive Shaun McNally, pictured visiting polling stations with his dogs on voting day on May 5 last year, in a photograph issued by the commission
The watchdog apologised yesterday, saying that although ‘much of the data’ was already in the public domain, it is possible ‘this data could be combined with other data in the public domain … to infer patterns of behaviour or to identify and profile individuals’.
Hackers infiltrated the commission’s systems in August 2021 but the security breach was not discovered until October 2022. The commission said the attack had ‘used a sophisticated infiltration method, intended to evade our checks’, which was why it had taken so long to detect.
Officials decided to delay informing the public while they removed the hackers and put additional security in place.
But Anthony Young, of cyber security firm Bridewell, said: ‘If the attackers had access to the commission’s email systems and controls for over 14 months, during this time they could have contacted other individuals, companies and government departments claiming to be part of the electoral commission. This could lead to further loss of data or finances.’
Shaun McNally, the chief executive of the Electoral Commission, apologised, saying: ‘The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
‘This means it would be very hard to use a cyber-attack to influence the process. We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.’
Source: Read Full Article