By Paul Seddon
Politics reporter
The UK’s elections watchdog has revealed it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.
The Electoral Commission said unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021.
Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year.
The watchdog has warned people to watch out for unauthorised use of their data.
In a public notice, the commission said hackers accessed copies of the registers it was holding for research purposes, and for conducting checks on political donors.
It said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.
This includes those who opted to keep their details off the open register – which is not accessible to the public but can be purchased, for example by credit reference agencies.
The data accessed also included the names – but not the addresses – of overseas voters, it added.
However, the data of people who qualified to register anonymously – for safety or security reasons – was not accessed, the watchdog said.
The commission says it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people.
It added that the personal data held on its email servers was “unlikely to present a high risk to individuals,” although information included in the body of an email or in an attachment could be vulnerable.
Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added.
Chief executive officer Shaun McNally said he understood public concern, and would like to apologise to those affected.
The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies.
The Information Commissioner’s Office, which is responsible for data protection in the UK, said it was urgently investigating.
