UK Electoral Commission data breach

From HandWiki
UK Electoral Commission cyber attack
TargetUK Electoral Register records

The Electoral Commission of the United Kingdom suffered a data breach in 2021–2022.[1][2][3]

Events

According to the commission, the data could have been accessed as far back as August 2021 but was not detected until October 2022.[1][2][3] Once discovered, the attack was reported to the Information Commissioner's Office, National Cyber Security Centre and National Crime Agency within 72 hours.[1][2][3]

The initial vulnerability may have been a Zero-day flaw referred to as 'ProxyNotShell' (CVE-2022-41040) in their Exchange Server.[4]

The commission said that it was not able to know for certain what data was accessed or who was responsible, but the attack showed considerable sophistication.[1][2][3] The breach did not have any impact on the electoral process, with only copies of electoral registers visible in the breach, which had not been changed as a result of the attack. The commission assessed the breach did not pose a high risk to individuals, but did include a high volume of low-grade personal data (name, home address and for some the date reaching voting age).[5]

It would have been possible to access records for people registered to vote in the UK between 2014 and 2022 and the Commission email system would also have been accessible by attackers.[1][2][3] About forty million people are on the electoral register.[1][2][3] Data that would not be available would have included those whose identity is kept anonymous for safety reasons and addresses of overseas voters.[1][2][3]

The Electoral Commission apologised for the data breach.[1][2][3]

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Mason, Rowena; Farah, Hibaq (2023-08-08). "Electoral Commission apologises for security breach involving UK voters' data". The Guardian. https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Robinson, Dan (2023-08-08). "UK voter data within reach of miscreants who hacked Electoral Commission". The Register. https://www.theregister.com/2023/08/08/uk_electoral_commission_hacked_voter/. 
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 Seddon, Paul (2023-08-08). "Cyber-attack on UK's electoral registers revealed". BBC News. https://www.bbc.com/news/uk-politics-66441010. 
  4. Whittaker, Zack (9 August 2023). "Parsing the UK voter register cyberattack". https://techcrunch.com/2023/08/09/parsing-uk-electoral-commission-cyberattack/?guccounter=1. 
  5. "Public notification of cyber-attack on Electoral Commission systems". 8 August 2023. https://www.electoralcommission.org.uk/privacy-policy/public-notification-cyber-attack-electoral-commission-systems. 



Retrieved from "https://handwiki.org/wiki/index.php?title=UK_Electoral_Commission_data_breach&oldid=3432430"