The UK Electoral Commission has disclosed a data breach that exposed the personal details of anybody who was registered to vote in the country between 2014 and 2022. Theoretically, this could leave millions of people at increased risk of identity fraud.
The data accessed by an unknown threat actor in October also pertains to those who were registered as overseas voters, meaning millions of UK citizens could have had their names and addresses stolen.
The Electoral Commission adds that anyone who tried to contact it via its website or email could also have been exposed in the attack.
“During the cyberattack, our file sharing and email systems were accessible, which contain a broad range of information and data,” it said. “The personal data most likely to have been accessible includes any names, addresses, email addresses, and any other personal data sent to us by email or held on the electoral registers.”
Such data is often used to facilitate further forms of cybercrime, including online fraud scams that try to con victims to part with money by pretending to be someone they know or trust.
That being said, anyone in the UK who hasn’t specifically requested to go ex-directory would already have their basic details such as name and address publicly accessible via services such as 192.com.
“We don’t know how this data might be used, but according to the risk assessment used by the Information Commissioner’s Office, the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals,” said the commission.
However, it added: “There is no indication that information accessed during this cyber-attack has been published online, but there remains the possibility that some information has found its way into the public domain.”
Despite waiting months pending internal investigation into the attack before disclosing it to the public, the commission says it still does not know who was responsible. It has reported the incident to the UK’s National Cyber Security Center and the Information Commissioner’s Office.
Since the breach, the commission claims it has taken measures to improve its cybersecurity. Anyone registered to vote during the affected timeframe who’s concerned about the possible misuse of their personal information can learn more about the incident here.
More from Cybernews:
Subscribe to our newsletter