The Electoral Commission Was Hacked For A Year. Why Was This Not A Scandal?

In August 2021, hostile actors penetrated the Electoral Commission's systems. They installed backdoors, accessed emails, and obtained the electoral registers for the entire United Kingdom. The breach went undetected for fourteen months. When an employee finally noticed spam emails being sent from the Commission's servers in October 2022, investigators discovered the extent of the compromise. The Commission waited another ten months before disclosing the breach to the public in August 2023.

The scale was extraordinary. Approximately forty million people's electoral data was accessible to the attackers—the names and addresses of everyone registered to vote in Great Britain between 2014 and 2022, plus overseas voters and Northern Ireland's 2018 register. The Commission's entire email system lay open to inspection. The organisation admitted it could not know conclusively what files may or may not have been accessed.

In March 2024, the UK government attributed the attack to hackers working for the Chinese government, specifically a group known as APT31 linked to China's Ministry of State Security. Yet the breach produced barely a ripple in British political discussion. No minister resigned over the failure of oversight. No senior Commission official fell on their sword. The Information Commissioner's Office declined to impose a fine, issuing instead a reprimand—a public scolding with no financial consequences.

An Invitation to Enter

The Electoral Commission's security failures were not sophisticated vulnerabilities requiring nation-state resources to exploit. Hackers accessed the Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities that had not been secured. Microsoft had released patches for the ProxyShell vulnerability chain in March and April 2021. The Commission failed to apply these fixes, leaving the vulnerabilities unpatched for three to five months after Microsoft had released them.

Password management proved equally lamentable. Following a post-incident audit, 178 passwords were cracked in "rapid" time because they were identical or similar to those originally allocated by the service desk. Default credentials—the sort of basic security failing one might expect from a small business, not from the body charged with safeguarding electoral integrity—facilitated the intrusion.

The Commission knew its infrastructure was outdated. It was planning to move its infrastructure towards the cloud, so "remedial action with the old servers was limited". In October 2021, staff had reported a breach after discovering spam emails, but the Commission considered the issue to be an isolated incident. This complacency permitted the attackers to maintain their presence for another year.

Most damningly, the Electoral Commission failed an NCSC Cyber Essentials audit on multiple counts at about the same time as cyber criminals breached its systems in 2021. The body responsible for electoral integrity could not meet basic cyber security standards whilst hostile actors roamed freely through its networks.

What Hostile Actors Could Achieve

The Commission and government officials rushed to reassure the public. The UK's democratic process is significantly dispersed, and key aspects remain based on paper documentation and counting, making it very hard to use a cyber-attack to influence the process. True enough—Britain's electoral mechanics rely on physical ballots marked with stubby pencils in church halls, counted by hand under the watchful eyes of candidates' agents. The attackers could not simply alter vote totals from Beijing.

But this misses the point entirely. Electoral registers serve multiple critical functions beyond determining who receives a polling card. They verify identity for postal vote applications. They enable anti-fraud checks. They authenticate voters when identity verification is required. The data accessed would be used by Chinese intelligence services for large-scale espionage and repressing perceived critics in the UK.

Consider the possibilities for a hostile intelligence service with complete electoral rolls spanning eight years. Cross-reference against social media, property records, companies house data. Map networks of activists, journalists, MPs' staff, civil servants living in particular postcodes. Identify voters in marginal constituencies. Build detailed profiles for influence operations or targeted phishing campaigns. The Commission's email system contained names, email addresses, home addresses, contact telephone numbers, and the full content of correspondence and webforms—a treasure trove for foreign intelligence.

The Commission insists there is no indication that information accessed during the cyber-attack has been copied, removed or published online. This is cold comfort. With as many as fifteen months to work before discovery, we can reasonably assume exfiltration occurred. Intelligence services do not advertise their acquisitions on darknet forums.

The Scandal That Wasn't

The Information Commissioner's Office investigated and found the failures inexcusable. If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely this data breach would not have happened. Yet no fine was imposed—only a reprimand.

The ICO's justification reveals much about how Britain treats public sector failures. The regulator had adopted a revised approach to enforcement on public bodies, meaning they would be unlikely to see large fines imposed for the next two years. The reasoning? Fines come from budgets for provision of services, effectively punishing breach victims twice. This logic might apply to a local council struggling with limited resources, but the Electoral Commission? The body safeguarding democracy itself?

The ICO acknowledged it had no reason to believe any personal data was misused and found no evidence that direct harm had been caused. But absence of evidence is not evidence of absence when dealing with intelligence operations. Chinese state actors do not leave calling cards. They collect, correlate, and exploit data over years. The harm may not materialise until a future crisis when detailed profiles of British citizens prove useful for coercion, blackmail, or targeted disinformation.

Within the Electoral Commission itself, silence. No individual staff member has been publicly disciplined. The new chief executive, Vijay Rangarajan, arrived in 2024 and described the breach as an "enormous shock" requiring three years and more than £250,000 to recover from. He spoke of "complacency" within the organisation. But complacency by whom? Which specific officials failed to implement basic security measures? Who decided to deprioritise patching old servers? The public has no answers.

Parliament appears equally uninterested. No major inquiry has examined the breach's implications. No Select Committee has grilled officials about what systems may have been altered. The Speaker's Committee on the Electoral Commission, supposedly responsible for oversight, has maintained a studied silence on who precisely failed and how they will be held accountable.

Different Rules For The Private Sector

Imagine British Airways failing to patch known vulnerabilities for five months, resulting in Chinese intelligence services accessing forty million customer records for over a year. The ICO would likely have imposed millions in fines. The CEO would face intense pressure to resign. Shareholders would demand explanations. Yet when the body responsible for electoral integrity demonstrates identical failures, we get a stern letter and reassurances about lessons learned.

Officials acknowledged that had the same mistakes occurred in the private sector, the consequences would likely have included a heavy financial penalty. This admission exposes the double standard. If forty million citizens' data matters less when compromised by a public body than by a private company, what signal does this send about government's commitment to protecting democratic infrastructure?

What We Still Don't Know

Two years after the breach's disclosure, fundamental questions remain unanswered. Did the attackers alter any control systems related to transparency data? The Commission has not said. Were backup systems compromised? Unknown. Did the breach extend to systems beyond those officially acknowledged? We cannot be certain.

The Commission stated it knows which systems were accessible to hostile actors but cannot conclusively determine what files may or may not have been accessed. This uncertainty should be intolerable. For fourteen months, foreign actors had free rein. The public deserves a comprehensive, independently verified accounting of every system touched, every file potentially accessed, every change possibly made.

The attribution to China came in March 2024, more than two years after the breach's discovery. Ministers explained attribution takes time to be absolutely sure of the basis before making assertions about hostile state activity. Fair enough—but this delay meant the public spent years unaware that a major power's intelligence apparatus had penetrated Britain's electoral infrastructure.

Why This Matters

Britain prides itself on democratic resilience. The dispersed nature of electoral administration, the use of paper ballots, the transparency of hand-counting—these features do provide genuine protection against certain forms of digital manipulation. But they do not render electoral infrastructure irrelevant to security. Voter registers, email systems, and control databases all play crucial roles in ensuring fair elections.

When those systems suffer catastrophic security failures, and no one in authority faces meaningful consequences, what incentive exists for improvement? The Commission has since spent more than £250,000 to overhaul cyber defences and now devotes a much larger share of its budget to security. Excellent—but this should never have been necessary. The ProxyShell vulnerabilities were widely known. The patches were available. The failures were elementary.

The absence of scandal sends a dangerous signal: you can fail to implement basic security, you can allow hostile states to access millions of citizens' data, you can wait months before disclosure—and you will face a reprimand. Not a fine. Not resignations. Not a comprehensive parliamentary inquiry. Just a letter of censure and a promise to do better.

Forty million Britons' data sat exposed to Chinese intelligence for fourteen months because officials could not be bothered to install security patches. If this is not scandalous, what would be?