The UK Electoral Commission has been hacked.
Breached data includes that inside of the commission’s email system and the electoral registry, otherwise known as the electoral roll.
In my personal opinion, this is one of the worst breaches of recent times and the impact is likely both immeasurable and understated. Paired with other breached and leaked data such as that stolen from cryptocurrency organisations and others, it is very likely that there will be both digital and real-world impact on victims if this information is ever leaked. In addition, we currently do not know how threat actor access was used when the breach first occurred in August 2021 until its eventual detection over a year later, leaving many questions unanswered.
An official statement by the Electoral Commission as well as further technical information can be found here: https://www.electoralcommission.org.uk/privacy-policy/public-notification-cyber-attack-electoral-commission-systems/information-about-cyber-attack
“…the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals”.
This is a vague statement that whilst in itself true, is never the case when it comes to criminal usage of data. This data really does have an impact when paired with other information, as acknowledged by the commission later on in their article.
Furthermore, the commission are “unable to ascertain whether the attackers read or copied personal data held on our [their] systems”. It’s a reality that we may see the data published online and available for sale, perhaps in a similar fashion to the now defunct SSNDOB platform which impacted United States citizens and operated for a significant period of time before it’s eventual demise. The impact of this platform was and will always be immeasurable. It no doubt still impacts those it affected.
Whilst SSNDOB contained different types of information, and information which could certainly be considered a lot more impactful, the same opportunity for criminal exploitation of data which may have been exfiltrated or otherwise copied from Electoral Commission systems is heavily reminiscent of the platform. That is to say, UK electoral data paints a strong picture of familial connections and those of people who live or have lived in the same household. Similarly to SSNDOB, breached UK electoral registry data is capable of identifying both genetic and social connections between individuals, especially since the data is said to span from 2014 until 2022.
Whilst it may not be concerning to some, there’s a reason people opt out of allowing their data to be sold on sites such as 192.com. Again reflective of status quo attitudes towards privacy, why are citizens made to opt-out of this data sharing model in the first place? It should not be possible for internet users across the world to purchase the Personally Identifiable Information (PII) of UK Citizens which are forced to register to this system unless they wish to risk being fined or left unable to vote. More concerningly, the threat of Violence-as-a-Service (VaaS), doxing, swatting, sim swapping and other obnoxious methods of harassment or compromise increases when making information of this nature publicly available. It changes lives and is very real for those that it impacts.
There are legitimate and legal uses for the electoral roll, but the current data sharing model doesn’t meet the privacy and security expectations and requirements of the present day.
Should a system used for:
- The prevention and detection of crime
- Safeguarding national security
- Checking the identities of individuals who have applied for financial services
…and more, also make this information publicly accessible? Furthermore, if it is so important to have an open register, why is this information not freely available through a more official channel controlled by the UK government or the commission itself? Instead it is sold by privately owned companies to private individuals and groups who may, and often do, have ulterior motives and uses for this data.
It is valid that some individuals and businesses may require their information to be available on the open register, but many members of the general public are likely unaware that an open register exists. Should such a system be opt-out, or should those who need and want to be listed be required to opt-in? Whilst anonymous electoral roll registration is possible, individuals have to meet certain criteria where risk and their threat model is decided for them. This should not be the case, especially given that many victims of crime around the world and in the UK let crimes and threats against them go unreported. Furthermore, should an open register exist where police officers, military staff, prison workers, and those in other operational security-sensitive occupations are automatically opted in to sharing where they live and who they live with?
With statements such as:
“…much of it is already in the public domain”
and
“…the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals”
It’s no wonder that many people (including myself) feel as though privacy is never a consideration.
At the very least, the commission acknowledge the harsh reality this breach will have on many current and future victims:
“It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals”
Privacy is an often misunderstood and arguably esoteric topic as individuals often have to trade convenience and do their own research to fully understand related issues and their associated implications. What some people and organisations often fail to realise is that lapses in privacy and security, such as this breach, have a very real impact on those who are subjected to the fallout.
For those affected by cybercrime and cyber-enabled crime that takes place in the real-world, the effect of these breaches and lack of consideration for privacy and security in other areas of society is significant.
Even as somebody who is privacy and security conscious, I have been indiscriminately targeted in a campaign off the back of a data breach, and at the time the emotional stress and worry that it caused for me and my family was very real. I managed to attribute this to a specific online data breach and in the process of understanding how I was targeted, I identified multiple GDPR breaches which were acknowledged and facilitated by an involved party separate to the original breach, a very large organisation nevertheless. With this in mind, my experience was very insignificant in comparison to what some victims face, although it’s something I plan to put together a conference talk on and help people to understand how leaked data can be and is used by threat actors who aren’t necessarily targeting you specifically.
An argument often proposed by individuals is “Why would somebody target me?”, usually paired with something such as “I have nothing to hide”. The thing that these individuals often fail to realise is that threat actors do not care whether you have something to hide - they exist to reap your finances, cause emotional havoc and bring about damage wherever and to whatever they can. Often the only thing which can change this approach is when said individuals can understand what it’s like to be at the mercy of an anonymous internet user, or worse yet, a physical threat.
I may be wrong in some of my assessments in this article, but ultimately I believe it is a valid discussion that requires more interest and attention from both industry professionals and regulatory bodies alike.
Please remember that whilst you may not believe or understand how such breaches can have an impact on you and your family, for some people out there it can be and continues to be devastating, no matter how small or irrelevant it may seem.
