Electoral Commission hack: Five things you need to know

The public statement only raises more questions

Yesterday the UK's election regulator, the Electoral Commission, announced that it was hacked in 2021. The breach took more than a year to find, and 10 more months for the public to be told. Here are the five key takeaways you need to know.

1. Who's responsible?

So far, we don't know. Attribution is notoriously difficult in cybercrime, and all the Commission says is that "hostile actors" accessed its systems in August 2021.

The length of time between the breach taking place and being discovered will have made attribution a bit more difficult. That said, the "external security experts" the Commission is working with should still be able to make some educated guesses, using information like attack paths, payloads and motives - especially considering how long they've had to analyse the incident.

The fact that the attackers remain unidentified is a concern. Interference in democratic systems by hostile states carries significant implications, and there is a strong argument for this being discussed openly and transparently.

We also don't know how the attackers got in. Commission Chair John Pullinger told the BBC that the "very sophisticated" attack involved using "software to try and get in and evade our systems," but this leaves many unanswered questions.

Electoral Commission hack: Five things you need to know

The public statement only raises more questions

null

2. What did they take?

Personal information, and quite a lot of it.

Whoever they were, the attackers were able to access the Commission's servers holding its email, control systems and copies of the electoral registers. Those included the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

Personal data in the Electoral Register entries included names, first names and surnames; the home address in register entries; and the date on which a person achieves voting age that year.

The email system was technically worse. It contained:

Name, first name and surname.
Email addresses (personal and/or business).
Home address if included in a webform or email.
Contact telephone number (personal and/or business).
Content of the webform and email that may contain personal data.
Any personal images sent to the Commission.

Has any of this data been exfiltrated? We just don't know, although with as many as 15 months to work before discovery we can assume so.

Electoral Commission hack: Five things you need to know

The public statement only raises more questions

null

3. Why did it take so long for us to hear about it?

Technically, the Electoral Commission fulfilled its legal obligations under the UK GDPR. It told the ICO about the breach within 72 hours of discovery, and set about remediating it.

Article 34 of the GDPR says a data subject - that is, anyone affected by a breach - must be informed "without undue delay" if the breach "is likely to result in a high risk to the rights and freedoms of natural persons."

The Commission judged that the accessed personal data "does not pose a high risk to individuals." It makes it clear that it is notifying people now because of the data volume, rather than its sensitivity.

However, this is far from the norm. Even when personal data was not accessed, or was not judged to be of high risk, the de facto standard now is to tell data subjects at the same time as the regulator. Why the Electoral Commission failed to do so is unknown.

Mark Ridley, an experienced CIO and director at Ridley Industries, disagreed with the Commission's judgement of the data's sensitivity.

"If I had the information and was a sneaky hacker, I'd be thinking firstly that I could do lots of nice phishing with the electoral register data, pretending to be from a number of government agencies.

"Secondly, if it was all the mailboxes in all the past and current employees, there would be an absolute treasure trove of employee and external information to mine... That would mean anyone/everyone should be very suspicious of any email or physical mail they receive from the government for a while."

Dewi Price, CIO at Inizio Digital and formerly of institutions including Open University, Thames Water and Imperial College London, asked, "If they knew about the breach in October 2022, why has it taken 10 months to provide notification? The excuse that they 'had to remove the actors and their access" and "put additional security measures in place" points to a very cumbersome technology estate and worrying lack of responsiveness."

The breach timeline - dating to August 2021 but not being discovered until October 2022 - points to a less-than-annual security review. Questions must be asked: is this acceptable for central government?

Electoral Commission hack: Five things you need to know

The public statement only raises more questions

null

4. Will this affect elections?

According to the Electoral Commission, no. The UK's low-tech paper voting system is difficult to affect with a cyberattack, and the Commission says the breach hasn't affected anyone's electoral status.

"The UK's democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process."

Additionally, the Commission only holds copies of electoral registers for research purposes. Local authorities hold the live versions, which are used to send out polling cards and at polling stations - those were unaffected by the attack.

Electoral Commission hack: Five things you need to know

The public statement only raises more questions

null

5. What is the Electoral Commission doing about it?

As is standard in these situations, we don't know exactly - the Commission doesn't want to broadcast its cyberdefence posture to the world.

We do know that the organisation has worked with external security experts and the National Cyber Security Centre to secure its systems and improve protections around personal data.

Those external partners have strengthened network login requirements, improved the monitoring and alert system for active threats and reviewed and updated the Commission's firewall policies.

Dewi told us, "Breaches happen, but responding quickly to stop further damage, and communicating transparently to regain trust, are critical. On the face of it, neither of those things appears to have happened in this case."