Britain's election watchdog said on Tuesday it had been targeted in a complex cyber incident first identified last October, which involved its systems being accessed by “hostile actors.”
The Electoral Commission, which reported the hack, is the independent body which oversees elections and regulates political finance in Britain.
“Hostile actors were active in our systems and had access to servers which held our email, control systems, and copies of the electoral registers,” it said in a series of posts on social media platform X, formerly known as Twitter.
Much of the data in the registers – including the names and addresses of those registered to vote between 2014 and 2022 and the names of overseas voters – was already in the public domain, the commission added.
But the registers did not include the details of those registered anonymously.
The commission has worked with Britain's National Cyber Security Centre and external experts to investigate the incident and had since made improvements to the security of its IT systems, it said.
The attack was identified in October 2022, but the hackers had first been able to access the commission’s systems in August 2021.
Shaun McNally, the Electoral Commission’s chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyberattack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
He said significant measures had been taken to improve security on the commission’s IT systems.
The hackers were able to access reference copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations.
The register for each year holds the details of around 40 million individuals, which were accessible to the hostile actors, although this includes people on the open registers, whose information is already in the public domain.