A simple, very dark night time image of hands on an illuminated keyboard typing. Shady person wearing a hood at a computer or laptop in the dark.

The UK’s Electoral Commission has admitted that it suffered a cyber attack over two years that potentially exposed the personal details relating to millions of voters.

The London-based elections watchdog announced the data breach yesterday afternoon and issued an apology to the public, as well as an FAQ webpage with details on the cyber attack and how the investigation has been handled.

The Electoral Commission said hackers had been surreptitiously accessing its computer network since August 2021. The attackers had access to servers that held the watchdog’s email, control systems, and copies of the electoral registers.

This means the hackers would have been able to access the full names and addresses of all people in the UK registered to vote between 2014 and 2022, as well as the names of overseas voters.

“We regret that sufficient protections were not in place to prevent this cyber attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems,” said the Electoral Commission’s chief executive Shaun McNally.

”While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

Read more The odd spat within a party is a healthy thing but DUP leader knows there’s a line to be drawn

However, he emphasised that it would be very hard to use a cyber attack to influence elections, as the UK’s democratic process is “significantly dispersed and key aspects of it remain based on paper documentation and counting”.

The cyberattack was only detected in October 2022, after which the elections watchdog contacted the National Cyber Security Centre (NCSC) and third-party external security experts to help investigate and secure its systems.

Worryingly, the Electoral Commission said that it was still not able to establish what exactly the hackers had been able to look at or what information they might have stolen.

”We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.”

However, it said that the information exposed in the data breach would not be enough for someone to impersonate any voter under current voting rules, and the cyber attack will not impact your ability to take part in any future elections.

The electoral watchdog also said the incident would not have an impact on anyone’s credit score. This issue will be of less concern to users who have agreed for their names and addresses to be included in the open register, which is already publicly available, but it could be upsetting to people who opted out of the open register.

For these people, the Electoral Commission said it could only apologise. It said that it has taken steps to secure its systems better, including strengthening network login requirements, improving the monitoring and alert system for active threats, and updating firewall policies.

© Evening Standard