UK Electoral Commission data breach

UK Electoral Commission cyber attack

Target	UK Electoral Register records
Perpetrator	Ministry of State Security

The Electoral Commission of the United Kingdom suffered a data breach in 2021–2022.^[1][2][3]

In March 2024 it was reported that the UK security services had identified the Chinese government as the perpetrator of the data breach attack.^[4] In connection with the breach, the UK government has sanctioned two individuals and a company linked to the Chinese government.^[5]

Events

According to the commission, the data could have been accessed as far back as August 2021 but was not detected until October 2022.^[1][2][3] Once discovered, the attack was reported to the Information Commissioner's Office, National Cyber Security Centre and National Crime Agency within 72 hours.^[1][2][3]

The initial vulnerability may have been a Zero-day flaw referred to as 'ProxyNotShell' (CVE-2022-41040) in their Exchange Server.^[6]

The commission said that it was not able to know for certain what data was accessed or who was responsible, but the attack showed considerable sophistication.^[1][2][3] The breach did not have any impact on the electoral process, with only copies of electoral registers visible in the breach, which had not been changed as a result of the attack. The commission assessed the breach did not pose a high risk to individuals, but did include a high volume of low-grade personal data (name, home address and for some the date reaching voting age).^[7]

It would have been possible to access records for people registered to vote in the UK between 2014 and 2022 and the Commission email system would also have been accessible by attackers.^[1][2][3] About forty million people are on the electoral register.^[1][2][3] Data that would not be available would have included those whose identity is kept anonymous for safety reasons and addresses of overseas voters.^[1][2][3]

The Electoral Commission apologised for the data breach.^[1][2][3]

Aftermath

Further information: Cyberwarfare by China

In March 2024, the UK government and the United States Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a Chinese Ministry of State Security front company called Wuhan Xiaoruizhi Science and Technology and affiliated individuals for breaching the Electoral Commission and placing malware in critical infrastructure.^[8][9]

References

1. Mason, Rowena; Farah, Hibaq (2023-08-08). "Electoral Commission apologises for security breach involving UK voters' data". The Guardian. Retrieved 2023-08-09.
2. Robinson, Dan (2023-08-08). "UK voter data within reach of miscreants who hacked Electoral Commission". The Register. Retrieved 2023-08-09.
3. Seddon, Paul (2023-08-08). "Cyber-attack on UK's electoral registers revealed". BBC News. Retrieved 2023-08-09.
4. Wright, Oliver (24 March 2024). "China accused of 'malign attack' after Electoral Commission hack". The Sunday Times. Retrieved 24 March 2024.
5. Crerar & Courea (25 March 2024). "Chinese hackers targeted Electoral Commission and politicians, say security services". theguardian.com. Guardian. Retrieved 25 March 2024.
6. Whittaker, Zack (9 August 2023). "Parsing the UK voter register cyberattack". TechCrunch. Retrieved 9 August 2023.
7. "Public notification of cyber-attack on Electoral Commission systems". Electoral Commission. 8 August 2023. Retrieved 18 August 2023.
8. Psaledakis, Daphne; Pearson, James (March 25, 2024). "US, UK accuse China over spy campaign that may have hit millions". Reuters. Retrieved March 25, 2024.
9. Hui, Sylvia (2024-03-25). "US and UK announce sanctions over China-linked hacks on election watchdog and lawmakers". Associated Press. Retrieved 2024-03-25.