Electoral Commission and PSNI data breaches: what we know so far – Source: www.theguardian.com

The UK election watchdog and Northern Ireland’s police service both announced serious data breaches on Tuesday, in the latest example of the vulnerability of personal details to hacks and human error.

The UK data regulator, the Information Commissioner’s Office (ICO), is looking at the incidents, which have raised immediate safety concerns over the consequences of leaking personal data. Here is what has happened and what we know so far.

What happened at the Electoral Commission

The commission, an independent body that oversees elections in the UK, said on Tuesday it had been the subject of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers. These contained the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as names of overseas voters. This equates to the data of 40 million people. The Electoral Commission said it did not know whether the data had been downloaded.

The commission said it was “not able to know conclusively” what information had been accessed. It added that the personal data in the commission’s email system, which was also hacked, included email addresses of people who had contacted the commission; any personal images sent to the commission; and contact telephone numbers. Again, the electoral commission does not know whether any of the email data was taken.

The commission said the attack was spotted in October 2022 but had in fact started in August 2021, indicating the sophistication of the assailants.

What happened at the Police Service of Northern Ireland

The PSNI incident is of a different nature to the Electoral Commission attack and appears to have been due to human error. A spreadsheet was mistakenly published online detailing the surname, initial, rank or grade, location and the department of all current PSNI officers and civilian staff members. Private addresses were not released.

According to the PSNI, the data was released accidentally in response to a freedom of information request and was available to the public for up to three hours before the error was spotted.

Should PSNI staff be concerned?

The PSNI’s assistant chief constable Chris Todd said the data release was limited in nature but was still of “significant concern”.

“It is limited to surname and initial only, so there’s no other personal identifiable information contained within the information that was published.

“That will be still a significant concern to many of my colleagues, I know that, and we will ensure that we do everything we can to mitigate any security risks that are identified.”

Who is responsible for the Electoral Commission hack?

Experts say the sophistication and ambition of the attack points to a state-backed entity, with Russia top of the list for some observers.

David Omand, a former director of the British spy agency GCHQ, told BBC Radio 4’s PM that Russia was “first on my list of suspects”, while Sir Richard Dearlove, a former head of MI6, told the Daily Telegraph that the Kremlin would “be at the top of the suspects list by a mile”.

Alan Woodward, a professor of cybersecurity at Surrey University, said Russia’s history of trying to interfere in elections – particularly the US presidential election in 2016 – made it an obvious candidate.

“Russia has actively tried to interfere with our elections before so it is a prime candidate but it could be any of those countries seeking to undermine confidence in our democratic process. China, Iran, take your pick,” he said.

Could elections be affected?

The commission said it would be “very hard” to use a cyber-attack to influence the electoral process. According to Shaun McNally, the commission’s chief executive, the reliance on paper votes helps maintain the integrity of the system.

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process,” he said on Tuesday.

Nonetheless, the potential leak of millions of voters’ details could leave them exposed to manipulation before they make their paper vote. It could also leave them exposed to fraud attempts, which state-sponsored actors have been known to attempt as well as cybercriminals.

The commission admitted on Tuesday that the information could be combined with other data, such as social media, to profile individuals.

“It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals,” it said.

Do the Electoral Commission and PSNI face fines?

The ICO said last year that it was planning to “reduce the impact of fines on the public sector” for mishandling of data, as part of a new approach which would focus on warnings and enforcement notices.

However, it said fines could still be issued in “the most serious cases”, which is undoubtedly the category for the electoral commission and PSNI incidents. In 2021, before this new approach was announced, the ICO fined the Cabinet Office £500,000 after the postal addresses of the 2020 new year honours recipients were disclosed online.

At the time of the statement, in June 2022, the ICO said it would be “working more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen”. There is clearly more work to be done.