The 14-month-long infiltration of the Electoral Commission’s IT system by hackers is “nearly unheard of” and exposes the vulnerability of official networks to more serious attacks, a cyber security expert told i.
The independent elections watchdog revealed on Tuesday that personal details belonging to millions of voters could have been accessed by “hostile actors” during a breach that began in August 2021 but was not identified until October the following year.
The hack allowed the attackers to access reference copies of electoral registers containing the names and addresses of people registered to vote between 2014 and 2022.
Jake Moore, a global cybersecurity advisor for ESET, told i that the breach was “extremely worrying” – less so for the data potentially accessed but because it went undetected for over a year.
He said: “I don’t think the hackers would have imagined they would have been undetected for so long. Over a year is nearly unheard of.”
He added: “More than the fact that data could have been stolen is the bigger issue that they were able to access and monitor while remaining undetected for so long, observing how these systems operate.”
“It was effectively a recce, a stakeout on a network from within to see exactly how it operates. The internet security software should have found it out much earlier – that’s where the embarrassment lies.”
Malign actors can use names and personal addresses online to convince members of the public that they are trustworthy, persuading them to hand over more valuable information, such as bank details.
However, the information gained from monitoring how an IT system is maintained is potentially much more valuable to hackers, Mr Moore said, enabling them to plan future attacks.
“If they find out that the Electoral Commission update daily, or immediately after a software update is released, then they know they’ve got less chance or have to be quicker when pulling off an attack. That kind of information can be very noteworthy.
“It gives inside information to hackers, who are able to create malware knowing exactly what operating system they are up against. It gives a huge advantage for a bigger attack.”
Raef Meeuwisse, another cyber-security expert, also highlighted the exceptional length of the breach.
He told i: “A concern would be that – although it is not uncommon for intrusions to be able to to lurk unnoticed (we call it “dwell time”) for a year or more – we would not expect significant dwell time inside any system of high national value.”
“The concept that no real damage has been done by this cyber-attack ignores the fact that hostile or adversarial nation states rely on bringing voter systems into doubt,” he added.
“It is very difficult and expensive to have robust security – but this is the kind of critical UK system where that level of security should be in place.”
There is a possibility that Government IT systems operate in a similar way to that used by the Electoral Commission, Mr Moore said, though variation between the networks is likely.
He added: “There are continual vulnerabilities in Government organisations and they are well aware of this. They have notoriously spent limited resources on protecting such networks. Fortunately, more resources are going to be put back in to secure those databases.”
The Commission explained the delay in announcing the hack by the need to put “security measures in place to prevent any similar attacks.”
Revealing the breach had taken place before its causes had been addressed would have alerted hackers to the system’s vulnerability, Mr Moore said, encouraging further attacks.
The Commission has been unable to determine the identity of the hackers or their motives.
The Electoral Commission and the National Cyber Security Centre have been approached for comment.