Reported cyber attack on the Electoral Commission (August 2023)

The Electoral Commission

The Electoral Commission has announced on Tuesday 8 August 2023 that the organisation has been the subject of a complex cyber-attack. The incident was identified in October 2022 after suspicious activity was detected on their systems and it is likely that hostile actors first accessed their systems in August 2021. The Commission believes that their email system and the electoral registers were accessed. No groups or individuals have claimed responsibility for the attack.

The Electoral Commission is the independent body which oversees elections and regulates political finance in the UK. They do not process electoral registration applications or amend the Electoral Register.

The Commission has since worked with external security experts and the National Cyber Security Centre to investigate and secure its systems.

They have taken steps to secure their systems against future attacks and improved protections around personal data - strengthened network login requirements, improved the monitoring and alert system for active threats and reviewed and updated firewall policies.

The attack has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status.

Below sets out information regarding the cyber-attack and any implications for residents of North Kesteven.

More details from the Electoral Commission's website

What electoral register data may have been accessed?

Electoral registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022 and the date on which a person achieves voting age that year, as well as the names of those registered as overseas voters. 

The Commission advises that electoral register data held by them has not been amended or changed in any way because of the attack and remains in the form in which they received it. 

While the data contained in the electoral registers is limited, and much of it is already in the public domain, the concern this attack may cause is understandable.

Position for North Kesteven and registering to vote

North Kesteven District Council has not been the direct subject of this cyber-attack.

The registers that we hold are live versions of the electoral registers used to send out polling cards and at polling stations to check voters are registered and eligible to vote. Our registers are unaffected by this cyber-attack.

This has no impact on the ability of registered electors to take part in the democratic process and will not affect your current registration status or eligibility.

Currently, we are contacting every household in North Kesteven to request information about who is resident at the address to make sure that everyone who is eligible to vote is able to vote.

The way we contact you will depend on the contact details you have provided to us – this could be email or telephone number or by post.

This is called the annual household canvass and it is a legal requirement to undertake to ensure the Register is complete and accurate.

The most important thing is that you read our communication very carefully as it will tell you whether you need to respond or not.

If no one is eligible to register to vote at a property, the form must still be returned to confirm you are a resident (even though you cannot register to vote) and that there are no new people to add.

Is there an impact on individuals?

According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on the electoral registers does not in itself present a high risk to individuals. They have been unable to ascertain whether the attackers read or copied personal data held on their systems.

Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.

Your data and checks you can do

There is no indication that information accessed during this cyber-attack has been published online, but there remains the possibility that some information has found its way into the public domain. There are a few steps that can be taken to check whether your personal information is publicly available.

If you have not opted out of the open electoral register, the information held by the Electoral Commission will already be publicly accessible via websites such as Please see below for further information about the open electoral register.

If you want to check if your email address has been compromised, use to see if your email address has been released through reported data breaches.

If you think that you have supplied any financial data to the Electoral Commission via email, there are free online credit check tools by reputable companies such as Experian, which include online identity theft protection and monitoring.

Mitigations and how to contact the Electoral Commission

No immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorised use or release of their personal data. If you have concerns over personal data which you may have sent to the Commission, please email the Electoral Commission Data Protection Officer, or write to:

Electoral Commission
3 Bunhill Row

The Data Protection officer at NKDC is Andrew Simpson, Head of Digital, Data, Technology and Facilities.

Open and full register

There are two versions of the electoral register.
The full version includes the name and address of everyone who is registered to vote, except those who register to vote anonymously. This is used for:

  • campaigning activities (for example, candidates and political parties sending election communications to voters, surveying opinions or fundraising)
  • preventing and detecting crime
  • checking applications for loans or credit
  • jury summoning in England, Wales and Northern Ireland

The open register is an extract of the full electoral register. This version is available to anyone who wants to buy it, such as businesses or charities. You can opt out of the open register when you register to vote.

If you are already registered to vote here at North Kesteven and want to opt out of the open register, you can do so at any time, by contacting the elections team.

The request must contain your full name, and address, and you will need confirm that you want to be removed from the open register.