A "complex cyber-attack" that may have affected millions of voters was the target of, according to the UK's elections watchdog.
According to the Electoral Commission, unnamed "hostile actors" were able to obtain copies of the electoral rolls beginning in August 2021.
Additionally, its emails and "control systems" were compromised by hackers; nevertheless, the incident was not identified until October of last year.
The watchdog has issued a warning to the public about unlawful data use.
In a public notice, the commission said hackers accessed copies of the registers it was holding for research purposes, and for conducting checks on political donors.
Chief executive officer Shaun McNally said the commission knew which of its systems were accessible to the hackers, but could not "conclusively" identify which files may have been accessed.
The watchdog said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.
This includes those who opted to keep their details off the open register - which is not accessible to the public but can be purchased, for example by credit reference agencies.
The data accessed also included the names - but not the addresses - of overseas voters, it added.
However, the data of people who qualified to register anonymously - for safety or security reasons - was not accessed, the watchdog said.
The commission says it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people.
It added that the personal data held on its email servers was "unlikely to present a high risk to individuals," although information included in the body of an email or in an attachment could be vulnerable.
The personal data held on the registers - name and address - did not itself present a "high risk" to individuals, it added, although it is possible it could be combined with other public information to "identify and profile individuals".
It has not said when exactly the hackers' access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022.
Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers' access, examine the extent of the incident and put additional security measures in place.
Defending the delay, commission chair John Pullinger said: "If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities."
He said the "very sophisticated" attack involved using "software to try and get in and evade our systems".
He added that the hackers were not able to alter or delete any information on the electoral registers themselves, which are maintained by registration officers around the country.
Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added.
Mr McNally said he understood public concern, and would like to apologise to those affected.
The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies.
The Information Commissioner's Office, which is responsible for data protection in the UK, said it was urgently investigating.
On paper, this is about as serious as it gets.
Hackers interfering in elections is one of the biggest fears of the democratic world.
Luckily, the commission says in this case the cyber intruders did not have an impact on any elections, or anyone's registration status.
But make no mistake - this is still a serious breach and the nature of the attack is telling.
For supporters of the UK's manual voting system, the attack will bolster the case against using e-voting in future.
"Pen and paper can't be hacked" is often what supporters say when debates about modernisation come about.
The fact the hackers were inside the Electoral Commission systems from August 2021 indicates this was not a criminal hacking operation looking to make a quick buck through extortion.
This was a patient and skilled adversary to have been inside undetected for so long.
This operation looks like a probing one seeking out information about the UK's democratic process to search for weaknesses.
The Electoral Commission isn't saying who it was (if they know).
1
2
3
4
.svg)
