Electoral register hacked. All details stolen. (1 Viewer)

[Gromett]

Oh crap. Glad I am not on the register currently.

Cyber-attack on UK's electoral registers revealed

The Electoral Commission warns the public to be vigilant for unauthorised use of their personal data.

www.bbc.co.uk

 

[zulurita]

A bit worrying

 

[Gromett]

A bit worrying

More than a bit. This is critical data and should have been protected by the best security possible.

This is worrying as well though. Disclosure so the affected parties could take precautionary action if needed.

August 2021: hackers gain entry
October 2022: discovery of entry
August 2023: announcement of hack

 

[Two on Tour]

"The commission added that it had taken steps to secure its systems against future attacks"

So admitting that their online security was not fit for purpose?

 

[SpeedyDux]

Why does the Electoral Commission need to hold this massive database anyway? Is this an example of overreach. The ICO should tell the Electoral Commission to desist immediately.

I never expected that. Surely it is only necessary for each Local Authority to hold personal details of local electors/voters.

Will we all get compensation? If Celebs get substantial compo for phone hacking, why not us ordinary folk.

^{_{Subscribers  do not see these advertisements}}

 

[TDub49]

I wonder what accounts for the 10 month gap between discovering the hack and letting those affected (us) know of the potential risk? Seems to me that there should be a few jobs at risk in the Electoral Commission, particularly in whatever dept is responsible for cyber security but at the top as well . . . .

 

[Gromett]

Why does the Electoral Commission need to hold this massive database anyway? Is this an example of overreach. The ICO should tell the Electoral Commission to desist immediately.

I never expected that. Surely it is only necessary for each Local Authority to hold personal details of local electors/voters.

I am grateful to them for this example.

No end of times I have to explain to clients that I do not keep their usernames/password or other valuable data on my system in case it gets hacked. They ask me don't I trust myself and my procedures. I tell them I do, but I don't trust ALL the software I use 100% and no one should. If hackers get onto my system and I kept client data, that would be 100s of companies at risk with all their clients data at risk. It would be massive.

My point to them is if I don't hold the information I cannot leak it, lose it or abuse it. The small price to pay is I have to ask each time they want me to do some thing for them, and I tell them to reset their password immediately after.

The first and most important step as you rightly point out in information security is. If you don't NEED the information you shouldn't hold it. The 2nd rule is if you don't need it all the time, then it should not be accessible via any online system.

I can now give my clients another example of why I don't hold their data.

 

[The Coops]

Does the local Town Hall not keep a hard copy of the electoral register of the registered voters as a public document that anyone has access to if they ask?

 

[mitzimad]

i think it was the jerries looking for private pikes address

 

[SpeedyDux]

I am not sure how people can pass the online verification / credit checks if they aren't on the electoral register. That tends to indicate that such a national database does exist, and the information is being disclosed to third parties quite freely.

I did a quick search on data.gov.uk. It surprised me that there are examples of electoral roll datasets that are open data. e.g.

Electorate - data.gov.uk

^{_{Subscribers  do not see these advertisements}}

 

[ShiftZZ]

I wonder what accounts for the 10 month gap between discovering the hack and letting those affected (us) know of the potential risk? Seems to me that there should be a few jobs at risk in the Electoral Commission, particularly in whatever dept is responsible for cyber security but at the top as well . . . .

Risk assessment, project management etc etc. Endless Committees, travelling expenses.

Oh they have upgraded the firewall.

Project started in 1982, they bought the hardware, but it's been WIP since estimated spend so for £176 million

 

[ShiftZZ]

I am not sure how people can pass the online verification / credit checks if they aren't on the electoral register. That tends to indicate that such a national database does exist, and the information is being disclosed to third parties quite freely.

I did a quick search on data.gov.uk. It surprised me that there are examples of electoral roll datasets that are open data. e.g.

Electorate - data.gov.uk

Online checks etc may relate to the credit history, I know some people have chosen not to be registered..

 

[GJH]

I am not sure how people can pass the online verification / credit checks if they aren't on the electoral register. That tends to indicate that such a national database does exist, and the information is being disclosed to third parties quite freely.

I did a quick search on data.gov.uk. It surprised me that there are examples of electoral roll datasets that are open data. e.g.

Electorate - data.gov.uk

The Open Register is available to anyone who wants it but is it easy enough to opt out, meaning that the data will only be available to certain bodies/people allowed by law. Those people include electoral candidates whose security at home may not be of the highest level.
About 57% of voters have opted out (so the data on 43% of the hacked records will be in the public domain anyway).
Registration is compulsory, except in certain circumstances, and those who choose not to register face being fined.
See https://www.gov.uk/electoral-register

 

[herald_400rl]

Not sure why they think it acceptable to send electoral data over email! You would think it stored in an airgapped archive if necessary to keep it for x years...

 

[ShiftZZ]

No doubt lessons will learnt.. Utter incompetence..

^{_{Subscribers  do not see these advertisements}}

 

[Brains]

To be honest, it's not a big leak, as most of the data on voters is in the public domain.
You can buy the registers totally legally.

So it's just possible the hackers were getting the data to pass onto marketing companies on the cheap.

What is of more concern is access to their Emails and no doubt internal documents.
It may give 'hostile actors' clues on how to skew the ballot in some places.

The bottom line is the perennial problem that the UK does not an ID system, there is no compulsory voting, there is no transferable votes, no proportion representation, and voters need to 'register', and it's not in the interests of the two ruling parties to correct any of the issues.

 

[68c]

I think I'll just lie here, too scared to look under the bed.

 

[The Wino]

Why does the Electoral Commission need to hold this massive database anyway? Is this an example of overreach. The ICO should tell the Electoral Commission to desist immediately.

I never expected that. Surely it is only necessary for each Local Authority to hold personal details of local electors/voters.

Will we all get compensation? If Celebs get substantial compo for phone hacking, why not us ordinary folk.

Who would pay for compensation for everyone on the electoral role........all the people on the electoral role plus all the admin expences doing it!. Not a great idea!

 

[pappajohn]

I think I'll just lie here, too scared to look under the bed.

I'll just get on with life as before!

 

[dna]

Oh crap. Glad I am not on the register currently.

Cyber-attack on UK's electoral registers revealed

The Electoral Commission warns the public to be vigilant for unauthorised use of their personal data.

www.bbc.co.uk

I'm intrigued!.

If you aren't on the register anywhere, do you get any problems trying to get financial products or any other things where an address look up is involved?

^{_{Subscribers  do not see these advertisements}}

 

[MarionK]

No doubt lessons will learnt.. Utter incompetence..

You really think they will learn from this?

 

[Alsatian]

Oh crap. Glad I am not on the register currently.

Me too

 

[MarionK]

I'm intrigued!.

If you aren't on the register anywhere, do you get any problems trying to get financial products or any other things where an address look up is involved?

Interesting point. I did have problems with some security check recently, as I wasn't on some 'credit' register. At the time we concluded it was because I don't have any loans, not even a mortgage, but now I'm wondering if actually it's because I'm not on the electoral roll (through choice). Perhaps it was a combination.

 

[DuxDeluxe]

To be honest, it's not a big leak, as most of the data on voters is in the public domain.
You can buy the registers totally legally.

So it's just possible the hackers were getting the data to pass onto marketing companies on the cheap.

What is of more concern is access to their Emails and no doubt internal documents.
It may give 'hostile actors' clues on how to skew the ballot in some places.

The bottom line is the perennial problem that the UK does not an ID system, there is no compulsory voting, there is no transferable votes, no proportion representation, and voters need to 'register', and it's not in the interests of the two ruling parties to correct any of the issues.

So they just stole something that they could have purchased anyway?

 

[Jim]

On the register

• Your name, address, nationality and date of birth;
• Unique identifiers (such as National Insurance Number);
• Signatures for absent vote checking;
• Scanned application forms, documentary evidence, dates of any letters of correspondence;
• Notes about any relevant circumstances that you have told us;
• Your previous or any redirected address;
• The other occupants in your home;
• If you are over 76 or under 16/17
• Whether you have chosen to opt out of the open version of the register.

The Electoral Registration Officer processes the following special category personal information:

• Race and ethnic origin, insofar as it may be possible for this to be inferred from nationality information
• Health data - this may be contained within applications to vote by post or proxy
• Data relating to Anonymous Registration.

^{_{Subscribers  do not see these advertisements}}

 

[TheBig1]

The closed part of the electoral roll is definitely of value and dangerous in the wrong hands. Think people who rely on anonymity for their security. Everyone from politicians and their families all the way through to people who escaped abusive relationships or in hiding because of testifying in criminal cases

 

[philann]

I’m sure that people forget that every house had a book with everyone’s name, address and telephone number in it and an updated version was sent out each year.

 

[TheBig1]

I’m sure that people forget that every house had a book with everyone’s name, address and telephone number in it and an updated version was sent out each year.

but you could opt out of that too

 

[Brains]

So they just stole something that they could have purchased anyway?

yes.

But they also had access to internal emails and documents which is highly concerning.

Also details of voters that don't appear on the registers for some reason, which may be of use to someone.

 

[dash300]

Yet the DVLA sell their database information!

^{_{Subscribers  do not see these advertisements}}