Q&A: What data was accessed? Is my name and address online? Your questions answered after electoral roll cyber attack sees the details of more than 40 million people leaked
- Read more: The TWO shocking data breaches in the UK that defy belief
In what is the biggest data breach in UK history, more than 40million voters may have had their data stolen as hackers had access to the Electoral Commission’s systems for 14 months without being detected.
‘Hostile actors’ could possibly have obtained the name and address of nearly every voter in the country.
The National Cyber Security Centre, which is probing the incident, has not ruled out the possibility of a foreign state attack.
To answer any questions that you may have regarding the attack, read below:
More than 40million voters may have had their data stolen in the biggest data breach in UK history [File image]
What data was accessed?
The hackers were able to see the names and addresses of anyone who was registered to vote in the UK between 2014 and 2022, as well as those registered as overseas voters, including those who opted to keep their details off the open register.
The details of anonymous voters – who are not identified for security or safety reasons – were not accessible.
Any details provided to the Electoral Commission via email or through forms on its website, such as the ‘contact us online’ form may also have been compromised.
READ MORE: The name of EVERY police officer in Northern Ireland is published in error
Investigators have been unable to ascertain whether the attackers read or copied personal data.
Who was behind it?
No groups or individuals have claimed responsibility for the attack, which the Electoral Commission has described as the work of ‘hostile actors’.
MI5 considers ‘hostile actors’ to include foreign state attacks, criminals, ‘hacktivist’ groups and terrorists.
Foreign states are generally equipped to conduct the most damaging cyber espionage and computer network attacks, according to MI5.
How serious is this breach?
The data contained in the electoral registers is limited and much of it is already in the public domain.
According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals.
It is possible however that this data could be combined with other data in the public domain to infer patterns of behaviour or to identify and profile individuals.
Electoral Commission chief executive Shaun McNally, pictured visiting polling stations with his dogs on voting day on May 5 last year, in a photograph issued by the commission
Is my name and address online?
There is no indication that information accessed during this cyber-attack has been published online, but there remains the possibility that some information has found its way into the public domain.
There are a number of steps that can be taken to check whether your personal information is publicly available.
If you want to check if your email address has been compromised, you can search https://haveibeenpwned.com/ to see if it has been released through reported data breaches.
To see what information the Electoral Commission holds on you, you can submit a subject access request by filing in a form, or apply via email or phone.
If you think you have supplied financial data to the Electoral Commission via email, there are free online credit check tools by reputable companies like Experian, which include online identity theft protection and monitoring.
The National Cyber Security Centre also provides advice about securing your data.
Why are the public only finding out now?
The Electoral Commission was alerted to the attack by a suspicious pattern of log-in requests to its systems in October 2022.
It then emerged that the ‘hostile actors’ had first accessed servers in August 2021.
Officials delayed informing the public because security experts needed to remove the hackers and their access to our system.
The Commission had to assess the extent of the incident to understand who might be impacted and put additional security measures in place to prevent any future attacks.
Source: Read Full Article