UK cyber security proven vulnerable after two major data breaches

The UK’s Electoral Commission has suffered a cyber attack exposing the information of about 40 million UK voters, in the same week that Northern Irish police suffered a data breach revealing the information of every police officer in the Police Service of Northern Ireland (PSNI).

According to the Electoral Commission’s announcement this week, hackers had access to information for more than a year as the cybercriminals first accessed the systems in August 2021, but the incident was only identified in 2022.

Despite this, the Electoral Commission revealed the information to the public only this week – something that cyber security professionals have come to question as it is usual practice for organisations to inform those impacted about data breaches within the same or a similar timeframe.

“This incident is more than a breach of critical national infrastructure (CNI) or personal information, it’s a breach of the instruments of democracy itself,” commented Dominic Trott, director of strategy and alliances at Orange Cyberdefense.

“It’s common knowledge that CNI and electoral information are major targets for cybercriminals, so the way this attack has been handled should be questioned. How can it be that the incident was identified in October 2022, but that the general public – those impacted – are only hearing about it now?” Trott added.

The Electoral Commission admitted that the information achieved from the cyber-attack includes the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

It did not include the details of those registered anonymously. The commission’s email system was also accessible during the attack.

The Electoral Commission writes that since the attack, it has worked with security specialists to investigate the incident and have taken action to secure its systems.

Police names leaked

The revelations about voter data came in the same week that Northern Ireland police suffered a huge data breach, compromising the details of every serving officer and member of staff.

The breach was self-inflicted after it accidentally published the information in response to a Freedom of Information (FOI) request.

The information of the surname, initials, rank or grade, work location and departments of the staff was exposed, but did not include private addresses.

Liam Kelly, chair of the Police Federation for Northern Ireland (PFNI), told Sky News that some officers will not be able to continue in their roles due to safety concerns, and some may have to move house.

“We have a number of officers who work in more sensitive areas of policing where a veil of secrecy is their shield and protects them from clear risk in dealing with the most dangerous people in our society, being our terrorists and our organised criminals,” Kelly told Sky News.

Leader of the Northern Irish party, Naomi Long, commented that there were major questions arising from the breach.

She asked: “Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?”