The Electoral Commission has apologised after admitting hackers were able to access the names and addresses of anyone in the UK registered to vote between 2014 and 2022.

Hackers had access to the names and addresses of millions of voters in the UK for more than a year before anyone noticed, it has been revealed.

The Electoral Commission has admitted cyber-attackers were able to access reference copies of electoral registers from between the years 2014 and 2022 - documents which contained details of the tens of millions of people who registered to vote during that timeframe.

Advertisement

Advertisement

While the security breach was only made public on Tuesday (8 August), it first took place all the way back in August 2021. However, it took the watchdog over a year to realise the cyber-attack had even happened - with reports to the Information Commissioner’s Office (ICO) and National Crime Agency only made in October 2022.

Explaining why it took so long to detect the hackers, the Electoral Commission said the attack had “used a sophisticated infiltration method intended to evade our checks”. The data which was at risk included the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

A spokesperson for the watchdog has admitted they are “not able to know conclusively” exactly what or whose information had been accessed - but said “much of the data” was already in the public domain. They also added that, due to the paper-based process of elections in the UK, it would be “very hard” for the hackers to influence the outcome of a vote - but acknowledged that voters would likely still be concerned.

Hackers had access to the names and addresses of millions of voters in the UK for more than a year before anyone noticed. Credit: Getty Images

In a statement, Shaun McNally, the Electoral Commission’s chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process.

Advertisement

Advertisement

“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed.”

He then apologised to those affected - and assured voters that “significant” measures had since been taken to improve the security of the watchdog’s systems.

The Electoral Commission holds the details of voters for research purposes, and to enable permissibility checks on political donations. This data is gathered in an electoral register, which includes the names and addresses of the roughly 40 million people in the UK registered to vote each year.

Advertisement

Advertisement

This information was available during the hack, although the details of those registered to vote anonymously was not accessed.

In response to the cyber-attack, the National Cyber Security Centre provided the Electoral Commission with expert advice and support. A spokesperson said: “Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”

The Information Commissioner’s Office, which is looking into the incident, added: “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.