All our data has been exfiltrated by hackers, every one of the the forty-odd million adults registered to vote in the UK – which, may I remind you, we have to do by law – and the Electoral Commission’s response is not good enough.

  • Personal data contained in Electoral Register entries:
    • Name, first name and surname
    • Home address in register entries
    • Date on which a person achieves voting age that year.

It affects

anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022

and it’s been going on since mid-2021:

The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.

The more I think about this data leak, the angrier I am, and not just about the fact that they waited nine months to tell us.

They didn’t need a centralised database of the details of every elector to run elections. They compiled it for “research purposes”. That defence didn’t work for Pete Towshend and we shouldn’t let them get away with it here. This is negligence.

If you can’t protect data, don’t collect it. It’s not enough to call it a “very sophisticated” attack: if you’re some kind of bumpkin organisation that can’t fend off a clever attacker, you shouldn’t be running a database of everyone’s details.

The cherry on the top is the misspelling of breaches in the public notification:

According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breeches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals.

Then again, they really do have their pants down, and are showing their arse to the world, so maybe that’s appropriate.

Data subjects retain the right to complain to the UK Supervisory Authority, the Information Commissioner’s Office (ICO).