UK Electoral Commission data breach

The Electoral Commission of the United Kingdom suffered a data breach in 2021–2022.

In March 2024 it was reported that the UK security services had identified the Chinese government as the perpetrator of the data breach attack. In connection with the breach, the UK government has sanctioned two individuals and a company linked to the Chinese government.

Events
According to the commission, the data could have been accessed as far back as August 2021 but was not detected until October 2022. Once discovered, the attack was reported to the Information Commissioner's Office, National Cyber Security Centre and National Crime Agency within 72 hours.

The initial vulnerability may have been a Zero-day flaw referred to as 'ProxyNotShell' (CVE-2022-41040) in their Exchange Server.

The commission said that it was not able to know for certain what data was accessed or who was responsible, but the attack showed considerable sophistication. The breach did not have any impact on the electoral process, with only copies of electoral registers visible in the breach, which had not been changed as a result of the attack. The commission assessed the breach did not pose a high risk to individuals, but did include a high volume of low-grade personal data (name, home address and for some the date reaching voting age).

It would have been possible to access records for people registered to vote in the UK between 2014 and 2022 and the Commission email system would also have been accessible by attackers. About forty million people are on the electoral register. Data that would not be available would have included those whose identity is kept anonymous for safety reasons and addresses of overseas voters.

The Electoral Commission apologised for the data breach.

Aftermath
In March 2024, the UK government and the United States Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a Chinese Ministry of State Security front company called Wuhan Xiaoruizhi Science and Technology and affiliated individuals for breaching the Electoral Commission and placing malware in critical infrastructure.