UK Electoral Commission Hacked

The UK Electoral Commission discovered last year that it was hacked the year before. That’s fourteen months between the hack and the discovery. It doesn’t know who was behind the hack.

We worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.

If the hack was by a major government, the odds are really low that it has resecured its systems—unless it burned the network to the ground and rebuilt it from scratch (which seems unlikely).

Posted on August 16, 2023 at 7:17 AM14 Comments


Peter Galbavy August 16, 2023 7:26 AM

Hey! It’s the UK government. They’ll outsource the clean-up to experts like Crapita. Nothing to see here.

Paul852 August 16, 2023 7:34 AM

Well OK, but the Electoral Register (which, I as I understand it, is all that was accessible) is in any case accessible to the public (albeit in a more manual way). I don’t see this as being a major cause for alarm.

But then again I’m old enough to remember phone books and the suspicion with which we viewed people who were ex-directory.

tfb August 16, 2023 8:49 AM

@Paul852, I think you are making two mistakes.

  1. Nobody knows what information leaked. What we know (if we trust them, which probably we have to) is that they know the electoral register was leaked. But if we believe Bruce, it’s also very likely that the bad people are still in their systems, now. If that’s true then they do not know the full extent of the attack. Indeed they can not know it since it is still in progress,
  2. Access to the electoral register does not have to mean read-only access.

Mirandel August 16, 2023 9:17 AM

… this could NOT happen in U.S.

U.S. electoral system is extremely secure from both external & internal tampering.
All official election results are absolutely correct, with no margin of error whatsoever.

Any election tampering or fraud would very quickly be detected and neutralized by a robust realtime nationwide electoral monitoring system — that is itself totally immune to external/internal tampering.


Clive Robinson August 16, 2023 10:14 AM

@ Bruce,

“unless it burned the network to the ground and rebuilt it from scratch”

Hmm, you are getting wiser in your older age[1] 😉

Sadly it’s more or less true for a whole variety of reasons.

Firstly the ever present Zero Days and vulnerabilities being worked on by the vendor who has yet to release a patch.

Then whilst people do “patch the apps” and “patch the OS”,

“How many patch the firmware?”

And of course,

“How many hardware vendors issue patches anyhow?”

@ ALL,

Remember the vulnarability an APT attacker uses after infiltrating your systems,is often not the vulnarability they used to infiltrate in the first place.

So if you do not have a record of the infiltration in progress, you might never know how they got in. If you don’t know how they first got in the odds are you can not fix the vulnerability so you will still be vulnerable to reintrusion.

Oh and have a look back on how Lenovo put “persistant malware” on their professional laptops back in 2015,

xxx ps://

This was after they put “Superfish” on their consumer models and got a public back lash…

But even quite recently,

And who can forget,

And it’s dire warning of,

“While still rare, so-called SPI implants are growing more common. One of the Internet’s biggest threats—a piece of malware known as Trickbot—in 2020 began incorporating a driver into its code base that allows people to write firmware into virtually any device.

And not much has changed…

Now ware did I leave that box of matches 😉

[1] For those who are “shocked” Bruce and I are of a similar age, and “badger” features strongly in both our beards and yes I wear a hat to stop sun burn as well 😉

Clive Robinson August 16, 2023 10:40 AM

@ Peter Galbavy, ALL,

Re : Crapita lost more than marbles.

Hey! It’s the UK government. They’ll outsource the clean-up to experts like Crapita. Nothing to see here

Do you remember the “Ankle Bracelet Scandal”?

From Wikipedia,

“[T]here were a number of scandals in relation to electronic monitoring in England and Wales, with a criminal investigation opened by the Serious Fraud Office into the activities of Serco and G4S. As a result of the investigation, Serco agreed to repay £68.5 million to the taxpayer and G4S agreed to repay £109 million. The duopoly were subsequently stripped of their contract, with Capita taking over the contract. In 2017, another criminal investigation saw police make a number of arrests in relation to allegations that at least 32 criminals on tag had paid up to £400 to Capita employees in order to have ‘loose’ tags fitted, allowing them to remove their tags.”

Ted August 16, 2023 11:10 AM

Sir Richard Dearlove, former head of MI6, said the Kremlin would “be at the top of the suspects list by a mile.”

Of course, this is not an official attribution.

It’s interesting to note, also, that Privacy International refloated a Jan 2021 report they co-wrote with the U of Edinburgh, titled “Micro-Targeting in Election Campaigns.”

The report says political parties commonly use the register “as a ‘spine’ on which to add more granular and detailed information” to be able to “send personalised communications to the data subject.”

People may want to likewise, as always, stay vigilant with regards to phishing campaigns.

Chelloveck August 16, 2023 11:26 AM

@tfb: The FAQ Bruce linked to addresses your second point. They say that the copies of the data accessed were being used for research and to check the permissibility of donations. The authoritative version is held by local election commissions. If that’s true, it sounds like the worst that could happen by changing the records would be to erroneously validate or invalidate certain entities’ donations. (Which could still be bad depending on the size of the donations, but it does limit the scope of possible damage.)

tfb August 16, 2023 12:28 PM

@Chelloveck: thanks, I should have read the FAQ more carefully.

… Now of course the appropriate conspiracy theory would be that this hack was done by a political party in order to make various donations appear legal.

(Just to be clear: I don’t think that. They’d just conceal the source of the donations in the standard way.)

Clive Robinson August 16, 2023 1:07 PM

@ tfb, Ted, ALL,

Re : ’twas t’ buttler wot dun it.

“Now of course the appropriate conspiracy theory would be that this hack was done by a political party in order to make various donations appear legal”

Nagh old Dodgy Dearlove gave you the heads up “it were them darn ruskies, tis always da ruskies”

Now whistle along to,

Yup it is sixty years old, so nuch time so little change 😉

Bill August 17, 2023 4:42 AM

the odds are really low that it has resecured its systems

I think you mean that the odds are really high. (Low odds mean high probability.)

Jay August 17, 2023 9:12 AM

@Bill Low odds are also low probability. Since odds are successes:failures, higher odds mean higher probability of success, and lower odds mean lower probability of success. E.g.: 1:9 odds of having resecured their systems is both lower probability and lower odds than 3:7 odds of having resecured their systems (.11 odds/.1 prob. < .43 odds/.3 probability).

Massive off-topic, sorry.

k3ninho August 18, 2023 3:04 PM

I’m on that register. That’s a published register for spammers to buy and an unpublished register for sending to election teams and polling stations. The latter, full-detail, register with data from most of the 2010’s seems to have been available from an internet endpoint like an AWS EBS, without accreditation, for a chunk of time. We have an Information Commissioner Office to report on this, I’m grateful it’s come to light and public awareness, they might have forgotten to publish it, not malicious but certainly bungling it again.

I expect to receive more spam. I expect that any foreign power that got ahold of this used it to correlate their pre-existing knowledge of privileged players — those with high security clearances — in the UK.


gerrard September 15, 2023 1:55 PM

Notwithstanding my confirmed suspicions re the inadequacy of our minor governmental organisations’ governance procedures, the impact according to the “confession” appears to suggest only names and postal address have been exposed, except for 16-18 year olds in england. I imagine there to be some ability to correlate with e.g. email/social media stolen database somewhere, and thereby to produce a target list for disinformation or phishing purpose. But I may be just imagining.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.