Cyber attack on electoral registers – your questions answered

What happened?

Unidentified hackers gained access to the UK’s electoral registers for 14 months without being detected. The initial breach took place in August 2021 but the attack wasn’t discovered until October last year.

Why are we only finding out now?

The Electoral Commission discovered the attack due to some suspicious log-in requests in October 2022.

Before telling the public, they needed to secure their systems to prevent further attacks.

What did the hackers see?

The hackers gained access to the names and addresses of people registered to vote in the UK between 2014 and 2022. This included overseas voters and those who opted to keep their details off the open register.

The attackers didn’t see the details of anonymous voters – whose details are hidden for security or safety reasons.

Emails sent to the Electoral Commission and details provided by people filling in forms on its website may also have been seen.

It’s unknown whether the hackers made copies of any data.

Should I be worried?

The electoral registers typically just include names and addresses. This information is often already publicly available.

Having said that, it’s possible this data could be used alongside other publicly available information to work out people’s patterns of behaviour. The more information fraudsters have about you, the easier it is for them to scam you.

Have my details been published online?

There is no evidence that the names and addresses accessed in the attack have been published online.

How can I avoid being scammed as a result of this breach?

If you’re worried about this or any other data hack, there are a few things you can do to check if your personal information is secure.

If you think you might have emailed financial data to the Electoral Commission, companies like Experian offer free credit check tools that look for signs of identity theft.

To find out what personal information the Electoral Commission holds about you, send them a subject access request. You can get in touch with them by email or phone. Don't worry about using any particular wording. Simply ask to see the personal details they have for you.

To see if your email address is publicly available, you can search https://haveibeenpwned.com. This will show if it’s been leaked through any reported data hacks.

What else can I do to outsmart scammers?

Read our guides on spotting energy scams and how to outsmart online scammers.