The UK’s Electoral Commission has disclosed that recovering from a cyber-attack attributed to Chinese hackers took three years and cost at least £250,000, after the breach exposed personal data of 40 million voters and revealed critical security shortcomings.
The hack was first detected in October 2022 during a routine password system upgrade, but investigations traced it back to August 2021, when attackers exploited a known vulnerability in Microsoft Exchange software. Despite widespread warnings to install security patches, the commission failed to update its systems promptly, allowing suspected Chinese state-backed groups to infiltrate and remain undetected for over a year.
During this period, hackers had full access to the open electoral register, containing names and addresses of all UK voters, and could monitor all internal emails, raising alarms about the integrity of electoral processes. The commission’s security lapses included poor password practices, ignoring advice from the National Cyber Security Centre, and failing basic government audits, leading to a formal reprimand from the Information Commissioner’s Office.
Although six by-elections occurred while the hackers had access, there is no evidence that election outcomes were tampered with; however, officials admit they cannot be certain what data was accessed or exfiltrated. In response, the commission has overhauled its cybersecurity measures, achieving the highest level of certification, and increased spending on digital defenses.
The new CEO, Vijay Rangarajan, described the incident as a “painful lesson” in modern threats, emphasizing that the culture has changed significantly to prioritize security. The attack underscores the vulnerability of democratic institutions to state-sponsored cyber espionage and highlights the need for continuous vigilance.
Moving forward, the commission aims to rebuild trust and ensure that such breaches do not recur, as similar incidents could potentially disrupt future elections and undermine public confidence in the democratic process.