Disastrous Set of Data Breaches in the UK Expose Details of 40m UK Voters and 10k Police Officers

It’s been a hot summer for data breaches in the United Kingdom. On August 8, the Electoral Commission, the independent body overseeing elections and political finances, disclosed a cyberattack that exposed the data of 40 million voters to hackers.

Reports suggest that the breach might be linked to an unpatched Microsoft Exchange zero-day vulnerability and, even if it remains uncertain if data was actually taken, the breach potentially affected personal information such as full names, emails, phone numbers, home addresses, and data collected during interactions with the commission.

Criticism has arisen regarding how the commission handled the cyberattack. The incident occurred in August 2021 but was only detected in October 2022 and was made public more than nine months later.

On the same day, the Police Service of Northern Ireland (PSNI) inadvertently disclosed the names and roles of 10,000 officers and staff in response to a Freedom of Information request. This incident, described as a data breach of “monumental proportions” is arguably more significant than the one involving the Electoral Commission, as it exposed officers working in intelligence and security services. The information remained accessible online for three hours.

One former senior PSNI officer told the Belfast Telegraph that the sensitive data is now “freely circulating on WhatApp groups, including retired officers. It is in essence ‘out there’ and can never be retrieved; the operating assumption must be it will be outside of the police family.”

Following the breach, officers raised concerns about their safety, leading the police service to consider reassigning individuals to different roles for security reasons.