Information about the cyber-attack

What happened?

The Electoral Commission has been the subject of a complex cyber-attack. The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.

We worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.

About the ICO investigation

The ICO has issued the Commission with a reprimand after its investigation found infringements of the UK’s general data protection regulations.

The investigation found that in 2021 the Commission did not meet the requirements of data protection law to secure our systems and protect the personal data of the public.  Failures were also identified in relation to password management policies, and the update patches in place at the time of the incident. Patching is the process of closing vulnerabilities in IT systems before attackers can exploit them. Full details of the ICO’s investigation and findings can be found on its website.

The Commission has made significant improvements to its IT security since the cyber-attack came to light. The ICO has not asked the Commission to take further action to resolve the breaches, nor has it issued any sanctions. The ICO has welcomed the steps taken by the Commission in relation to improving security and resilience.

The Commission has taken significant steps since the attack to improve the security of its systems. This has included a range of changes as part of a technology modernisation plan, expanding password policy controls and adding multi-factor authentication (an additional security measure beyond a username and password that is used to confirm a user’s identity). The security of our systems remains a priority, and we will continue to ensure we have the necessary protections in place to guard against future attacks.