This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Hackers Access UK Electoral Rolls

UK officials have disclosed that hackers got access to electoral rolls, email, and other data in 2021 and stayed in the system until 2022, when their presence was discovered. It is not clear why the government waited nearly a year to disclose the attack, during which the perpetrators were able to access voter data going back to 2014. During an age when most countries are extremely sensitive about election security, this is undoubtedly a troubling event for UK officials.  

Why It Matters

Most "best practices" advice would tell you that if you discover an attack on your network, you need to disclose it to stakeholders within a matter of days or weeks...not a year. There likely were additional sensitivities to this investigation that precluded making it public before now (there are indications that this was carried out by a foreign intelligence agency, thus raising national security issues). However: don't use the UK officials' timetable as any kind of guideline about breach reporting.

Instead, follow their example and be transparent about the facts of the situation when you do disclose it: tell stakeholders what was taken (or what was accessible), how long the bad guys were in your system, when the attack started and ended, and other material matters. The regulators here have gone a step further and identified ways in which voter data might be used by threat actors. You do not need to do that, but you should count on disclosing more than you may be accustomed to in a commercial setting. This is not the time to keep secrets.  

The hackers accessed copies of voter registries which included the names and addresses of any U.K. voters registered between 2014 and 2022. The information accessed by the hackers also included email addresses among other information, potentially putting information associated with tens of millions people at risk. The agency noted that “much” of the data is already in the public domain, but that it “is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of [behavior] or to identify and profile individuals.”


data security and privacy, hill_mitzi, insights