How the Electoral Roll data breach could put you at risk

In 2021, cybercriminals hacked the electoral roll. When this breach finally came to light – some two years later – there were understandable concerns. While voting details and election outcomes remain secure, the incident has left millions of voters potentially exposed to fraud, scams, and identity theft.  

Here’s what happened in the Electoral Commission data breach, its implications, and steps you can take to protect yourself. 

What happened in the Electoral Commission data breach? 

The breach saw hackers gain unauthorised access to personal data held within the UK electoral roll. The compromised data included names, addresses, and dates of birth for registered voters. The breach was only spotted when an employee discovered spam emails being sent from the commission’s email server. 

Who was behind the hack?  

In 2024, the then Conservative government linked the cyber-attack to China. According to the National Cyber Security Centre (NCSC): “The data, in combination with other data sources, would highly likely be used by the Chinese intelligence services for a range of purposes, including large-scale espionage and transnational repression of perceived dissidents and critics in the UK”. The Chinese Embassy denied the allegations, calling them “malicious slander”. 

What was not accessed?  

Rest assured that voting information, such as ballots cast or political preferences, was not compromised. The breach did not affect the integrity of the UK’s voting process.  

Potential risks for voters 

While the breached data may seem harmless, its misuse can have serious consequences. Expert data protection lawyers believe the stolen data could be exploited for fraudulent purposes. This might include:  

Identity theft 

The combination of names, addresses, and dates of birth can provide the building blocks for identity theft. Cybercriminals can use this information to: 

• Open bank accounts or credit cards in someone else’s name 

• Fraudulently apply for loans or other forms of credit  

• Carry out phishing or impersonation scams. 

Fraud and scams 

Criminals often exploit personal data to craft targeted scams. For instance: 

• Individuals may receive convincing emails or phone calls that appear to come from legitimate institutions like banks, government agencies, or trusted service providers. These communications might request personal information or direct recipients to fake websites designed to steal sensitive data. 

• Voters may receive fraudulent communications claiming to be from the Electoral Commission, warning about the hack and urging them to “verify” their information or update their voter registration. Such scams often include links to counterfeit websites or attachments containing malware. 

• Criminals could use the stolen data to send enticing job opportunities or prize notifications that require recipients to provide sensitive information or make upfront payments for “processing fees.” 

• Scammers might create fake utility bills, tax demands, or fines, presenting them as urgent to trick victims into paying without verifying the legitimacy of the requests. These scams often play on fear or a sense of obligation. 

Since the compromised electoral roll contains specific details like names and addresses, scammers can personalise their approaches to increase credibility. For instance, they might mention your address or other details to make fraudulent claims appear legitimate, such as impersonating your landlord or a local authority. 

Impersonation risks 

Impersonation fraud is a growing concern. With sufficient personal data, criminals can assume someone’s identity to manipulate financial transactions, create fake profiles, or bypass security protocols. 

Steps to protect yourself 

If you’re concerned that your data may have been compromised in the Electoral Commission data breach, taking proactive measures is essential. Here’s how you can reduce potential risks: 

Monitor your financial statements 

Regularly check bank and credit card statements for any unauthorised transactions. Early detection can help limit potential damage. 

Use identity protection services 

Consider subscribing to identity theft protection services that monitor your personal information and provide alerts if your data is found in suspicious contexts. 

Enable fraud alerts 

Contact your bank and credit agencies to enable fraud alerts on your accounts. This step can help flag any suspicious activity quickly. 

Be vigilant about scams 

Be cautious of unexpected emails, calls, or texts requesting sensitive information. Verify the sender’s legitimacy before responding. 

Update your online security 

Strengthen your online defences by: 

• Using unique, complex passwords for accounts. 

• Enabling two-factor authentication where possible. 

• Avoiding oversharing personal details on social media. 

What the electoral roll breach means for data security 

The breach underscores the importance of robust data protection measures, particularly for systems that handle sensitive voter information. Electoral commissions and government bodies must prioritise cybersecurity to prevent similar incidents in the future.

This includes: 

• Regularly updating and auditing databases 

• Encrypting sensitive data 

• Implementing multi-layered security protocols. 

However, while the Electoral Commission has strengthened its security measures since the hack, this could be too little too late for those affected.