UK Electoral Commission systems breached for over a year

Systems at the Electoral Commission, the body which oversees elections in the UK, have suffered a breach exposing electoral registers which hold the data of anyone registered to vote between 2014 and 2022. The Commission’s email system was also exposed in the breach.

In a statement on its website the Commission says it identified the incident in October last year but that systems were accessed as long ago as August 2021.

The electoral register contains little more than names and postal addresses and a flag to show eligibility for jury service. The risk of identity theft or phishing from use of compromised data is therefore small. There's also little risk of interference with elections since the UK's voting system is still largely paper based.

The exposed information does include those who have opted out of having their names on the public register, however. Chris Boyd, lead malware intelligence analyst at Malwarebytes, says:

While much of the information may be public domain, there will be many individuals potentially at risk who use the electoral roll opt-out as an easy way to keep themselves safe from stalkers, or abusive ex-partners.

The FAQ notes that 'The addresses of those who opt out of the open register, are not made publicly available, but were accessible during this cyber-attack'. There is a way to secure anonymous voting, but the steps are potentially complicated and require court documents or attestations from authorized individuals. I suspect people would simply rely on the opt-out rather going down that route, with the opt-out now likely a little bit less useful due to the compromise.

Andrew Bolster, senior manager of research and development at the Synopsys Software Integrity Group, points out the potential to cross reference this data with other sources. "Like many electoral registers globally, the UK electoral register can be viewed by almost anyone via local registry offices. However, this intrusion into the internal electoral register -- particularly the exposure of registrants' records who had opted out of the public register -- could pose a significant risk to citizens if correlated with other datasets such as credit records and company registration data."

What's more concerning is the length of time taken to identify the breach, as a number of industry experts point out.

"This breach took more than a year to detect, showing just how difficult has become for security teams to stop all attacks," says Oliver Tavakoli, CTO at Vectra. "And once an attack has overcome the initial lines of defense, they burrow into an environment and become harder to find. The increasing complexity of highly distributed attack surfaces of the modern hybrid enterprise makes it more likely that attacks hide in plain sight for prolonged periods of time."

Nikhil Girdhar, senior director of data security at Securiti, says:

The recent revelation of a data breach affecting the UK's registered voters is deeply concerning, both because of its scale and the significant delay in its disclosure. This incident underscores the pressing need to evaluate organizational preparedness in both preventing and responding to security threats.

With limited resources, both human and technological, security teams must strategically identify assets that hold sensitive data. The focused approach enables them to efficiently allocate resources to strengthen security controls such as login requirements, access policies, and firewall rules for pivotal data systems. Given the myriad of alerts that SOC teams process daily, it's paramount to prioritize notifications associated with these critical systems, ensuring a rapid and effective incident response.

Some experts believe that Russia is likely to be behind the attack. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, says, "Given the UK's stance in the ongoing Russia-Ukraine war, in providing financial and military aid to Ukraine, it is realistically possible that the attackers were aligned to the Russian state. While this remains theoretical at this stage, this would also fit the previous modus operandi of Russian state aligned groups attempting electoral interference."

Sir Richard Dearlove, the former head of the Secret Intelligence Service MI6, told the Daily Telegraph, “Russia would be at the top of the suspects' list by a mile. Putin's Russia sees itself in direct conflict with the West. It sees itself as fighting a great war." China is second on Sir Richard's suspect list, "…because of the value that they place on the long-term collection of data related to their strategic interests."

Brad Freeman, director of technology at SenseOn, says the information exposed could be useful for nation states. "The electoral roll itself is highly unlikely to be used directly in an attack on our democracy. However large databases are valuable for information collection by nation states especially when they are used against other datasets to build more complete pictures of our nation and its citizens."

Jason Hart, CTO EMEA at Rapid7, says all organizations can learn from this breach. "Cybersecurity is not an 'install and forget about it' job but a process that must be operationalized to ensure continual improvement and baked into business process. If we take away just one learning from this incident it is that security processes and events need to be in a continuous state of 'assess, detect, respond and automate' in order to deal with these situations effectively."

Image credit: andriano_cz/depositphotos.com