This article was co-authored by Bethany Thompson, Solicitor Apprentice, Manchester.
On 8 August 2023, the Electoral Commission (EC), an independent body which oversees elections and regulates political finance in the UK, published a public notification to announce that they had been subject to a complex cyber attack. The notification confirmed that “hostile actors had first accessed the systems in August 2021” and that this was first detected by the EC in October 2022 due to suspicious activity.
The EC have confirmed the “hostile actors” were able to access copies of the electoral registers and that their email system was accessible during the entire period of the attack. It was further indicated that the names and addresses of all voters who registered between 2014 and 2022 had been impacted, as well as the names of those registered as overseas voters - approximately 40 million in total.
Early fallout from the EC’s public notification
The Information Commissioner’s Office (ICO) released a statement on 9 August 2023 confirming that they are “making enquiries” and “investigating as a matter of urgency”.
Media reports have confirmed that approximately 28 million individuals chose to ‘opt out’ of the UK’s open register. This has raised concern as to why the EC retained so much data, such that it was still accessible to the attackers. In a further publication on the EC’s website, it stated that the data was “held by the Commission for research purposes and to enable permissibility checks on political donations”.
Based on our analysis of the public notification made by the EC, we have identified three key takeaways which we think any organisation can learn from, and which we think could feature heavily in the potential regulatory scrutiny (both in the UK and elsewhere), media reporting and claims that might follow.
Takeaway 1: Effective cyber detection measures are essential
There appears to be a 14 month delay between the “hostile actors” first accessing their systems (in August 2021) and any suspicious activity being identified (in October 2022). The EC’s public notification indicates unfettered unauthorised access to various EC systems, including employee email accounts, for well over a year.
It will be very interesting to see how the ICO responds, but the failure to detect initial unauthorised access in August 2021, and then subsequently for so many months after, is likely to be a focal point of their investigation. This is particularly so when sophisticated cyber detection tooling is available at a relative low cost for such a large agency entrusted with controlling so much personal data.
The takeaway for organisations here is to speak to experts that can help advise on suitable detection measures (such as ‘endpoint detection and response’ tooling) which aims to identify suspicious activity at the point of entry.
Takeaway 2: Data retention policies must stand up to scrutiny
It is still very early days since the EC posted its public notification, but most of the media reporting has focussed on why the EC retained data for as long as it did, even when people opted out of the register.
This serves as a timely reminder to all organisations, no matter what industry, that they should have effective systems and data retention policies in place to comply with both the UK GDPR and industry standards depending on the nature of the data held. As a starting point, personal data should only be kept for as long as it is required to achieve the purpose for which it is collected.
Takeaway 3: Notifications must be made ‘without undue delay’
Early media reports have also highlighted the delay in notifying data subjects. In response, the EC have confirmed the various steps that were taken during this time including: removing the treat actors from the system; assessing the extent of the incident; liaising with the National Cyber Security Centre (NCSC) and the ICO, and putting additional measures in place before the incident could be publicised.
The work outlined by the EC in response to the delay highlights the importance of organisations having in place an effective breach response plan to streamline the work required prior to notification. Not only will this assist in meeting the regulatory requirements imposed by Article 34 of the GDPR, which provide that notifiable data subjects should be informed ‘without undue delay’, but will also help organisations get ahead of the curve to minimise the risk of any reputational damage.
Ultimately, it seems the EC will rely on the relevant regulatory thresholds for notification not being met. However, it will be interesting to see the ICO’s stance on whether early communications (short of formal notifications) might have ensured those impacted were in a position to mitigate risk for themselves, and the circumstances in which the data was held.
Comment and comparison with the Police Service of Northern Ireland (PSNI) data breach
Both the EC and the PSNI have come under scrutiny in relation to data breach incidents that both came to light to the public on the same day.
While the circumstances of both incidents contrast - one involving unauthorised access to systems by a nefarious third party, and the other arising from human error - it is helpful to consider the nature of data involved with each incident, and the potential implications for all organisations.
On paper, the personal data involved in the EC incident (names/addresses/contact details) and the personal data in the PSNI incident (seemingly just name, together with ranking and station location) appear broadly similar.
There seems little doubt however, that the PSNI breach can be considered to give rise to a significantly higher risk compared to that of the EC data. It is the very fact that a police officer’s name has been revealed by the PSNI which has caused so much concern, whereas the names of people on the EC’s register is comparatively innocuous.
To organisations, this should highlight the importance of assessing the level of risk that may arise from a data breach depending on the nature of the data held. Assessments should not only consider the type of data held but all other external factors which may increase the likelihood of the data being high risk if the information were to be publicised. This should help form both data retention policies, as well as breach response planning in the event of a future data breach.