U.K. voters could have had their data accessed by “hostile actors”, starting in August 2021, the U.K. Electoral Commission announced on Tuesday, without naming any suspects. The authorities became aware of the breach only in October 2022, by which time hackers had access to electoral registers which contained the names and addresses of those registered to vote in the U.K. between 2014 and 2022 , as well as names of overseas voters. It is possible that the data of Indian citizens could have been breached — since some Commonwealth citizens (including Indians) who live in the U.K. are eligible to vote in local and general elections.
“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed,” Electoral Commission chief executive, Shaun McNally said, adding that steps had been taken to beef up security and resilience since the attack. The leak could potentially involve the data of over 40 million people.
The U.K.’s election process is dispersed and key elements of it are based on paper documentation and counting, Mr. Mcnally said. He also said that “much” of the data was already in the public domain.
Though suspects have not been formally named, David Omand, former chief of Britain’s intelligence establishment, Government Communications Headquarters or GCHQ, said Russia was “first on my [his] list of suspects”.
“We don’t know for certain... but I mentioned Russia deliberately because of the past record of both the Russian military intelligence GRU and civilian agency, the SVR, in interfering with Western elections,” Mr Omand told BBC Radio 4.
Electoral Commission Chair John Pullinger defended the decision not to inform the public about the data breach until this week, some ten months after it was first discovered.
“...If you go public on a vulnerability before you have sealed it off, then you’re risking more vulnerabilities,” he told Radio 4.
