How to find out if your details were stolen in Electoral Commission cyber-attack

With the Electoral Commission revealing it was the victim of a cyber-attack, here's everything you need to know.

James Hockaday
Updated ·4 min read
Ballot boxes are seen at a counting centre during Britain's general election, Bath, Britain December 12, 2019. REUTERS/Ian Walton
Hackers have been able to access the Electoral Commission's systems since August 2021. (Reuters)

Hackers have targeted the UK's elections watchdog, potentially gaining access to the details of 40 million voters over a two-year period.

The Electoral Commission apologised for the security breach but assured the public there was little risk of "hostile actors" being able to influence the outcome of a vote.

Attackers were able to access reference copies of electoral registers containing the names and addresses of people registered to vote between 2014 and 2022.

The hack was publicly confirmed on Tuesday, although it was first identified in October 2022, with hackers first able to access the commission's systems in August 2021.

Shaun McNally, the watchdog's chief executive, said the democratic process is unlikely to be influenced – as it is "significantly dispersed" with key aspects based on paper documentation and counting.

Read more: Make tackling tech-enabled abuse a priority, MPs tell Government

A computer programmer or hacker prints a code on a laptop keyboard to break into a secret organization system.
It is not clear who is behind the attack, and no one has come forward to claim responsibility. (Getty)

However, he warned: “We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

Here, Yahoo News explains what we know so far about the attack, and how to check if your details have been stolen.

How do I know if my data was accessed?

During the attack, hackers were able to access the names and addresses of anyone who was registered to vote in the UK between 2014 and 2022, as well as the names of those registered as overseas voters.

The Electoral Commission said details of anonymous voters were not accessible, as it doesn't have access to these.

Any details provided to the commission via email or on its website, such as through the 'contact us online' form, could also have been accessed by hackers.

Read more: Ukraine says it prevented Russian hacking of armed forces combat system

"We know that this data was accessible, but we have been unable to ascertain whether the attackers read or copied personal data held on our systems," the watchdog adds.

There is no indication that information accessed during the cyber-attack has been published online, but it's possible some of it has made its way into the public domain.

If you have not opted out of the open electoral register, the information held will already be publicly accessible via websites such as 192.com.

Read more: Industry expert: Government trying to undermine encryption in Online Safety Bill

To check if your email address has been compromised, you can visit haveibeenpwned.com to see if your email address has been released through reported data breaches.

If you think that you have supplied any financial data to the commission via email, there are free online credit check tools by reputable companies like Experian, which include online identity theft protection and monitoring.

Visit the National Cyber Security Centre's website for more guidance on how to keep your data secure.

How serious is this attack?

Unfortunately, if you registered to vote between 2013 and 2022 and haven't moved since, there is a chance hackers may have access to your home address, as well as your name.

While the thought of having these details accessed by an unknown hostile actor may seem unsettling, the Electoral Commission said the data contained in electoral registers is limited and that much of it is already in the pubic domain.

Read more: Landmark fusion breakthrough achieved by scientists for a second time

"The personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals," the watchdog said, citing a risk assessment used by the Information Commissioner’s Office.

However, it is possible that the stolen data could be combined with other public domain data to paint a more detailed profile of people and their behaviours.

Who was behind the Electoral Commission hacking attack?

It is still not clear who is behind the attack, and no groups or individuals have claimed responsibility for it.

The incident has been reported to the National Cyber Security Centre (NCSC) - part of the Government Communication Headquarters (GCHQ), who have been investigating, along with a security partner.

Explaining the delay in informing the public, the commission said it needed to make sure the attackers no longer had access to the system, put additional security measures in place, and take the time to fully assess the impact so it knew what it was dealing with.

How can I check what information the Electoral Commission has on me?

To find out what details the Electoral Commission has on you, you can submit a subject access request, either by filling out a form online or by email or phone.

When making the request, let the commission know you are asking for a search of the electoral register data, or all commission systems, and any personal data you may have submitted to the organisation.

Be sure to provide your name as it appears on the electoral register or on your polling card, and a preferred email address for the commission to contact you.