What’s the significance of the Electoral Commission cyber-attack?
The Electoral Commission has suffered a big cybersecurity attack as the BBC reports:
The Electoral Commission said unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021.
Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year…
The watchdog said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.
This includes those who opted to keep their details off the open register – which is not accessible to the public but can be purchased, for example by credit reference agencies.
This incident is a reminder of the value in the way we do elections, i.e. heavily paper-based and with a dispersed administration of voting and counting. That setup makes it much harder to influence results than with online voting and centralised systems.
Although a story about hacking of election data may make people worried about electoral fraud, I’m not convinced that having illegally got a copy of the full electoral register for the country makes electoral fraud noticeably easier. (What would you actually do that’s effective and requires this data?)
But, for more general identify theft, tracking down people, etc. it’s likely to be of more use for nefarious purposes (and hence my previous interest in NHS data). Which is why it’s always puzzled me why the finance sector doesn’t take more interest in the security and accuracy of the electoral register.
The electoral register isn’t just about elections. It underpins many other activities too – and that is where, I strongly suspect, we should look for any negative consequences of the hack.
I was the first party election agent of what became the first UK Green Party (then the Ecology Party, in the late 1970s and have an M Phil in Green Issues in UK Politics. Too old now to be active but still interested in our democracy!
Why was the EC holding all these registers in the first place?
Main reason is to check the permissibility of donations, and also the EC does significant research into how the electoral registration system is working.
While we worry about cyber-attacks and hostile actors, perhaps a more important issue is that organisations in general tend to digitise data without thinking of the consequences for security. Two recent examples of this are the PSNI data leak in response to a FoI request, and genealogy group Scotland’s People putting records of Scottish adoptions since 1909 online. Once something is out on the internet, it can never be recalled, so there is an ongoing and unquantifiable risk.
https://www.theguardian.com/society/2023/aug/09/scottish-government-website-reveals-names-thousands-adopted-children
I think there is a concern that the fact that the EC was hacked and the list accessed could be used to undermine faith in democracy. We may know that it will have no impact but I can see some actors using the hack to question how robust our system is.