Anatomy of a Breach

Anatomy of a Breach: UK Electoral Commission — 40 Million Voters' Data Exposed for Two Years Without Detection

> series: anatomy_of_a_breach —— part: 176 —— target: uk_electoral_commission —— voters: 40,000,000 —— undetected: 2_years —— failures: unpatched_weak_passwords<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2023 14 min read
electoral-commission uk-breach 40-million voter-data two-years-undetected democracy series
Breach #176

40 million UK voters. Two years undetected. The body that oversees UK elections could not protect voter data.

In August 2023, the UK Electoral Commission disclosed that it had been the victim of a 'complex cyber attack' first identified in October 2022, which had resulted in hostile actors accessing its systems since August 2021 — a two-year period of undetected access. The attackers had accessed copies of the electoral registers — containing the names, home addresses, and registered dates of approximately 40 million people registered to vote in the UK between 2014 and 2022 — as well as the Commission's email system.

The ICO's investigation found that the Commission had failed to ensure appropriate security measures: it was running unpatched software (including Microsoft Exchange Server with known vulnerabilities), using passwords that did not meet NCSC guidance standards, and lacked adequate monitoring. The ICO issued a formal reprimand. The breach, attributed by the NCSC to China-affiliated cyber actors, raised fundamental questions about the security of UK democratic infrastructure and the protection of voter data.

Democratic Data Compromised
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The electoral register. 40 million voters. Accessed by a hostile state actor.

Voter Data and Democratic Integrity
The electoral register — containing the names and addresses of 40 million UK voters — is a foundational dataset of UK democracy. Its compromise by a state-affiliated actor raises concerns about voter profiling, targeted disinformation, and interference in democratic processes. For UK <a href="/blog/sector-under-the-microscope-local-government">local authorities</a> that maintain electoral data, the Electoral Commission breach is a direct warning.
Unpatched Exchange Server
The ICO found that the Commission was running unpatched software including Microsoft Exchange — the same platform mass-exploited in the <a href="/blog/anatomy-of-a-breach-hafnium-exchange">Hafnium attacks</a> (2021). <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day patching. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched Exchange servers.
Weak Passwords
The ICO found passwords that did not meet NCSC guidance — on systems holding 40 million voters' data. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates strong password policies and MFA. The Electoral Commission's password failures echo the <a href="/blog/anatomy-of-a-breach-uk-parliament-email">UK Parliament email attack</a> (2017) — another democratic institution compromised through weak authentication.
Two Years Undetected
The breach persisted from August 2021 to October 2022 — 14 months before detection, and a further 10 months before public disclosure. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that reduces dwell time from years to hours. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> enables rapid detection and response.
UK Democracy Needs Better Security

Unpatched software. Weak passwords. Guarding 40 million voters' data.

The Electoral Commission breach demonstrated that UK democratic infrastructure is defended by the same basic security controls — patching, passwords, monitoring — that have appeared throughout this fifteen-year series. When those controls fail, the consequences extend beyond data theft to the integrity of democratic processes. Cyber Essentials certification would have addressed every failing the ICO identified: patching, password policy, access controls, and secure configuration. Our penetration testing validates these controls. SOC in a Box provides the monitoring the Commission lacked. And UK Cyber Defence provides the incident response capability that detects breaches in days, not years.

Democratic Infrastructure Security

40 million voters. Unpatched software. Weak passwords. Two years. Is your organisation better defended than the Electoral Commission?

<a href="/cyber-essentials">Cyber Essentials</a> addresses every failing the ICO found. <a href="/vulnerability-scanning">Vulnerability scanning</a> finds unpatched systems. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects breaches in hours, not years.

Commission a Security Assessment Next: MGM + Caesars
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 31 May 2025

Anatomy of a Breach: UK Retail Under Siege — Co-op Group and Harrods Targeted in the Same Campaign

Breach #197. In May 2025, the coordinated assault on UK retail continued. The Co-op Group — one of the UK's largest retailers with over 2,300 stores — disclosed a significant cyber attack that affected its retail operations and back-office systems. Harrods — the iconic luxury department store — confirmed it had been targeted in an attempted attack that was intercepted. Coming on the heels of the devastating Marks & Spencer breach, the attacks on Co-op and Harrods confirmed that UK retail was under sustained, coordinated targeting — prompting the NCSC to issue specific guidance to UK retailers on defending against the campaign.

co-op harrods
13 min read
Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
All Posts Get in Touch