It’s the biggest data theft in UK history. Last week, the UK Electoral Commission acknowledged that it had been the victim of a “complex cyberattack”, exposing the personal data of over 40 million voters.

Virtually all British citizens who registered to vote between 2014 and 2022 are potentially affected. “We know that data held by the Commission was accessible during the cyberattack, but we have not been able to determine whether the attackers read or copied any personal data stored on our systems,” explains the institution.

Electoral situation reports contain the names and postal addresses of voters, data which “does not in itself constitute a high risk for individuals”, it observes. However, the security flaw also affected messages and documents sent to the Commission, containing voters’ e-mail addresses and other personal information.

This statement comes almost a year after suspicious activity was discovered in October 2022. Since then, the Electoral Commission was able to determine that its systems had been infiltrated for the first time in August 2021, by a “hostile actor” it was unable to identify.

“We had to follow several steps before we could make the incident public”, explains the authority, to justify this significant delay. In particular, it claims to have closed off access to its IT systems and put in place additional security measures to prevent similar attacks in the future.

This is a serious blow for the Electoral Commission, but it is reassuring, promising that it will have no impact on future elections. “The UK’s democratic process is largely decentralized and remains paper-based and physically counted,” it stresses. This means it would be very difficult to use a cyberattack to influence the process.” Surely, a political promise that only engages who believe them.