The details of all UK voters were exposed to hackers for more than a year after the Electoral Commission was the victim of a major cyber attack.
The elections regulator said it was first hacked in August 2021 but the issue was not identified until more than a year later in October 2022.
The watchdog, which also oversees the finances of political parties, said the attack highlighted how the “UK’s democratic process and its institutions remain a target for hostile actors online”.
Shaun McNally, the chief executive of the Electoral Commission, said while the watchdog knows which systems the perpetrators gained entry to it does not know “conclusively what files may or may not have been accessed”.
But he said that due to the UK’s largely paper-based process for elections it would be difficult for hackers to influence the outcome of a vote.
Between the time of the attack happening and it being identified, the Scottish local elections were held on May 5, 2022 where nearly two million people cast a ballot.
The hackers had access to the Electoral Commission’s servers which hold emails, control systems and copies of the voting registers.
The registers include the names and addresses of those registered to vote between 2014 and 2022 and the names of overseas voters – but not the details of “anonymous voters”.
Those registered to vote during that time may have participated in the Scottish independence referendum; the 2016 Brexit referendum; the 2015, 2017 and 2019 general elections; the 2016 and 2021 Scottish Parliament elections; and the 2017 and 2022 Scottish council elections.
More than 40 million people were registered to vote in the 2019 general election alone.
“While much of this data is already in the public domain, we understand the concern this may cause,” the Electoral Commission tweeted.
“We regret that we could not prevent this cyber-attack and apologise to those affected.”
McNally said the regulator has since made improvements to the security, resilience, and reliability of its IT systems following the cyber attack.
He said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber-attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”
As part of the attack, hostile actors were able to access reference copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations.
“The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters,” McNally continued.
“The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”