Unraveling the EC Data Breach: Cybersecurity Experts Weigh In on the Implications

Written by

The UK Electoral Commission's (EC) notification of a data breach on August 8 reveals a concerning timeline of events, featuring an unknown threat actor interfering with an agency linked to democratic processes and potentially exposing millions of British citizens' data, igniting discussions among cybersecurity experts.

The cybersecurity community has already begun to dissect the information available from the EC’s notification about the cyber-attack. Infosecurity spoke to our network of cybersecurity experts to answer some of the questions you may have about the incident.

Is the Data Exposure Cause for Concern?

During the cyber-attack, the perpetrators had access to the Commission’s servers, which held the EC’s email, control systems, and copies of the electoral registers.

This included the name and address of anyone in the UK who was registered to vote between 2014 and 2022. Also included was any personal data contained in email system of the Commission.

Personal data affected by this incident:

  • Name, first name and surname.
  • Email addresses (personal and/or business).
  • Home address
  • Contact telephone number (personal and/or business).
  • Content of the webform and email that may contain personal data.
  • Any personal images sent to the Commission.
  • Home address in register entries
  • Date on which a person achieves voting age that year.

“It's highly concerning that names and addresses appear to have been stolen in this attack – if this data is leaked then people can find citizens’ addresses just from their names,” said Jamie Moles, Senior Technical Manager at ExtraHop.

Others have argued that this data breach is not as calamitous as some say because the data can all be accessed by the publicly.

Speaking to Infosecurity, William Thomas, CTI Researcher at Equinix Threat Analysis Center & Co-Founder of Curated Intelligence, said: “Many of my peers and fellow security experts have played devil’s advocate by stating that it’s possible to buy the electoral voter registration database, and that many services do this, such as http://192.com. Therefore, the severity of this breach could be overhyped.”

Sign up to the Infosecurity Magazine newsletter here. 

Thomas said that this analysis focuses too much on the database itself and ignores the bigger picture that a suspected state-sponsored APT group has been potentially reading every email and document belonging to the UK Electoral Commission that supports our democracy, potentially looking for weaknesses.

Andrew Bolster, Senior Manager of R&D at Synopsys Software Integrity Group, added: “This intrusion into the internal electoral register – particularly the exposure of registrants’ records who had opted out of the public register – could pose a significant risk to citizens if correlated with other datasets such as credit records and company registration data.”

Is the Timeline of the Breach Worrying?

There is quite clearly a resounding ‘yes’ in answer to this question. The timeline seems shocking because the threat actor had access to the Electoral Commissions networks for 15 months undetected.

The other worry is the time from detection to notifying the public – the intrusion was first identified in October 2022 but the public notification did not occur until August 2023.

Timeline:

  • August 2021: Hostile actor gains access to systems
  • October 2022: Incident identified
  • August 8, 2023: Electoral Commission notifies the public.

Thomas said the most concerning aspect of the long term access the hostile actor had is that the UK government may not know what exactly the adversary has stolen or the ultimate end goal of the operation.

“Historical patterns of behavior do make Russia the most likely suspect.”

He noted that as far as we know, there have not been any extortion attempts and no claim of responsibility from a threat actor.

Gary Barlet, Federal Field CTO at Illumio, said: “Based on the current information disclosed, it looks like a slow and low attack. However, while the impact of the attack is low, the fact it was undetected for so long will leave questions about what else attackers were doing as it doesn’t take that long to steal that data.”

Thomas added that the most likely scenario that this was a long-term intelligence gathering operation by a state-sponsored advanced persistent threat (APT) group.

Richard Forrest, Legal Director at data breach solicitors Hayes Connor added: “The Electoral Commission must now reflect on whether there were missed opportunities to prevent this risk and understand the ongoing efforts to address it.”

Is There a Threat to the UK's Democracy?

In a statement following the publication of the breach, Shaun McNally, Chief Executive of the Electoral Commission, insisted that the attack did not influence electoral outcomes, saying: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.”

However, while this cyber-attack may not have resulted in a major operational failure, it underpins what could happen, noted Nadir Izrael, CTO of Armis. “In fact, previously unreleased data from the Armis State of Cyberwarfare and Trends Report earlier this year demonstrated these concerns –  with 68% of IT and security professionals in the UK agreeing that cyberwarfare could affect the cybersecurity of the electoral process.”

Many have pointed the finger towards a Russian-backed actor having carried out this attack because of the nation’s track record with election interference, including the Ukraine election of 2014, infamously the 2016 US Presidential Election, and the 2017 French election.

“These historical patterns of behavior do make Russia the most likely suspect for this campaign,” Thomas told Infosecurity. However, he noted that because technical details have not been shared by the EC, it is difficult to say with any certainty higher than low confidence that Russia was behind this operation.

Thomas said that during the Ukrainian election in 2014, Russian intelligence infiltrated Ukraine’s election authority, deleted files and implanted malware in the country’s election reporting system.

“Fortunately, the Ukrainians detected it, but if not, Russia’s plan was to declare a fake victory for a fringe right-wing candidate. We should assume that hostile actors may try to launch the very same style of attack against the UK,” Thomas told Infosecurity.

Brad Freeman, Director of Technology at SenseOn added: “Large databases are valuable for information collection by nation states, especially when they are used against other datasets to build more complete pictures of our nation and its citizens.”

It is not known if this attack was related to geopolitical tensions, Izrael noted.

“Yet regardless of the attacker's aim, it is imperative for security teams to remain highly vigilant as threat groups continue to work toward disrupting the daily lives of citizens by targeting their most critical systems,” he added.  

What’s hot on Infosecurity Magazine?