The UK’s Electoral Commission has acknowledged that it took nearly three years and more than £250,000 in grants to recover from a cyberattack blamed on Chinese hackers. The breach, first detected in October 2022 but traced back to August 2021, gave intruders access to the electoral register containing the names and addresses of 40 million voters.
In its first detailed account, the commission admitted that hackers also had visibility over internal emails for an extended period, raising questions about how such a large-scale intrusion went undetected. Chief executive Vijay Rangarajan described the experience as “an enormous shock,” comparing the discovery of hackers inside the network to “feeling like you’d been burgled whilst still in the house.”
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
How the Hack Unfolded
The attack exploited a known vulnerability in Microsoft Exchange, a widely used email software. Despite repeated warnings to install protective patches, the Electoral Commission failed to act in time. That delay opened a window for cyber groups linked to Beijing to infiltrate systems, part of a broader campaign that security agencies around the world had been tracking.
The hackers gained access not only to the open electoral register but also to the commission’s email traffic, with the potential to monitor sensitive communications. They remained undetected until a password system upgrade in 2022 inadvertently revealed their presence.
A Catalogue of Security Failures
The UK’s Information Commissioner last year issued a formal reprimand to the Electoral Commission, citing a litany of basic errors: poor password practices, ignored advice from the National Cyber Security Centre, and failure to pass routine audits. Parliamentary stakeholders openly questioned how such complacency had been allowed in an agency responsible for safeguarding democracy.
While no evidence has surfaced that election results were tampered with, six by-elections were conducted during the period the hackers had access to the networks. Officials concede they still do not know what data, if any, was extracted or manipulated.
A Painful Lesson in Digital Governance
Mr. Rangarajan, who was not in charge at the time of the breach, now says the commission has overhauled its cybersecurity practices, achieving the government’s Cyber Essentials Plus certification. Yet the scars remain: “The culture here has changed significantly now partly as a result of this. It’s a very painful way to learn.”
Western intelligence agencies have long accused Chinese state-backed actors of targeting democratic institutions, charges Beijing has consistently denied. For Britain, the attack has underscored both the vulnerability of electoral systems and the escalating costs of failing to secure them.