Electoral Roll Data Breach

In August 2023, the UK Electoral Commission revealed a cyberattack affecting voter information

KP Law can help victims to claim compensation

Have you been affected by the Electoral Roll data breach?

A cyberattack on the UK Electoral Commission exposed personal information of registered voters between 2014 and 2022. The breach compromised names, addresses, and other voter data. While no sensitive voting information was affected, the risk of identity theft and fraud remains high.

The Electoral Register gave public notification on its website on 8 August 2023 that the personal data breach had occurred. The notification stated that it had been identified in October 2022, However, the stolen data puts millions of citizens at risk of fraud and identity theft.

The affected individuals fall within the following parameters:

If you were registered to vote in the UK at any time between 2014 and 2022, you may be eligible.
The youngest eligible individuals were born around 2004, making them at least 20 years old in 2024.
There is no upper age limit—anyone who was a registered voter during this period could qualify.

The following categories of personal data currently believed to have been exposed in the breach:

Full name (first name & surname)
Home address (as registered for voting)
Date of birth (for attainers) (16- and 17-year-olds in Scotland & Wales, 17-year-olds in England & NI)
Voting eligibility status (e.g., eligible to vote in UK parliamentary elections or only local elections)
Indicators of postal or proxy voting status (excluding proxy details)

As stolen information is often used by cybercriminals, anyone affected by the breach should take immediate steps to protect themselves.

KP Law has launched an action to help those involved in the Electoral Register data security failure claim compensation for any distress or financial losses experienced because of this breach. We strongly urge anyone affected to register with us.

IF YOU ARE AFFECTED BY THE ELECTORAL REGISTER DATA BREACH, CONTACT US TO MAKE A NO-WIN, NO-FEE COMPENSATION CLAIM.

Victims of the Electoral Roll data breach could be at risk

The breach increases the possibility of targeted cyberattacks like phishing and identity theft. KP Law advises anyone affected to remain vigilant. Victims may be able to claim compensation for any financial losses or distress experienced due to this breach. The UK government and Electoral Commission are under increasing pressure to address the breach, with calls for improved cybersecurity policies and a comprehensive investigation into how the hack occurred and why vulnerabilities were left unchecked.

The breach also makes victims vulnerable to social engineering attacks, where cybercriminals manipulate individuals into divulging confidential information. The exposed voter data could be combined with other online data for more effective attacks.

Furthermore, victims may suffer long-term risks, as the stolen data spans years. This creates ongoing opportunities for cybercriminals to misuse the information, causing distress and potential financial losses for those affected. Find out if you’re affected and could claim compensation with KP Law.

Notably, the UK Electoral Commission reportedly failed the Cyber Essentials certification on multiple occasions, which ultimately resulted in the exposure of the personal data of over 42 million UK citizens. This raises serious concerns regarding the government’s ability to safeguard sensitive information.

KP Law continues to investigate the full scope of the data compromised.

We may be able to claim compensation for any distress or financial losses experienced because of this breach and we urge anyone affected to register with us.

REGISTER TO FIND OUT MORE ABOUT THE ELECTORAL ROLL DATA BREACH.

Talk to our expert data breach lawyers today on 0151 459 5850

Electoral Roll Data Breach Timeline

August 2021

First, on 24 August 2021, a hacker broke into the Defendant’s Microsoft Exchange Server by taking advantage of a known security flaw. They placed malicious code (called "web-shells") that allowed them to access the system again on 16 September 2021, 13 June 2022, and 2 August 2022. They also created a secret entry point (a "backdoor") on 14 March 2022 for future access.
October 2021 to March 2022

Second, a different hacker also got into the same server on 3 October 2021 and set up a malicious code. However, this malicious code was later removed. Despite that, they managed to gain access again on 14 March 2022.
October 2021

Third, on 28 October 2021, an employee noticed a problem with spam emails, which led to the discovery of malware (short for malicious software). The server was cleaned and reinstalled to get rid of the malware, but the data had already been stolen.

Your questions answered

FAQs about the Electoral Roll Data Breach

What happened in the UK Electoral Commission data breach?

In August 2024, the UK Electoral Commission revealed that cybercriminals had accessed 40 million voter records between 2021 and 2022, exposing personal data like names and addresses.

What data was exposed in the breach?

The breach compromised names, addresses, and voter information collected over multiple years. While voting outcomes weren’t affected, the stolen data could be used for identity theft or fraud.

Was the breach preventable?

Yes, experts suggest that the attack was preventable with stronger security measures, such as data encryption and regular system audits.

How was the breach discovered?

The breach went undetected for over a year, being discovered in October 2022 and publicly disclosed in August 2024 after an internal investigation.

Who is at risk because of this breach?

Anyone whose voter data was collected between 2014 and 2022 may be at risk of identity theft, phishing scams, or fraud due to the exposed personal information.

Can I claim compensation if affected by the breach?

Yes, affected individuals may be entitled to compensation for distress or financial losses. Legal actions, including no-win, no-fee claims, are available to assist those impacted.

Join our no-win, no-fee group action

What can you claim for?

While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:

Financial loss

With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.

Distress

GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.

Loss of privacy

Your data has value, and organisations must be held to account if they fail to protect your right to data privacy or otherwise do not uphold your GDPR rights.

How to protect yourself following a data breach or cybercrime

Protect your finances following a data breach or cybercrime

Contact your bank or credit card provider immediately if your financial data has been exposed.
Check all bills and emails for goods or services you have not ordered.
Check your bank account for unfamiliar transactions.
Alert your bank or credit card provider immediately if there is any suspicious activity.
Monitor your credit score for any unexpected dips.
Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name.
Never provide your PIN or full password to anyone (even someone claiming to be from your bank).
Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.

Watch out for further attacks and attempts to extract additional information from you

Follow the security instructions provided by the organisation that breached your data.
Never automatically click on any suspicious links or downloads in emails or texts.
Don’t assume an email or phone call is authentic just because someone has your details.
Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details.
Know that, even if you recognise a name or number, it might not be genuine.
Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot.
Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.
Listen to your instincts and ask questions if something feels “off”.
Refuse requests for personal or financial information and stop discussions if you are at all unsure.
Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine.
Be cautious of unsolicited communications that refer you to a web page asking for personal data.
Don’t accept friend requests from people you don’t know on social media.
Review your online privacy settings.
Report suspected fraud attempts to the police and Action Fraud.

Put some data protection best practices in place to stop the threat from escalating

Register with the Cifas protective registration service to slow down credit applications made in your name.
Change your passwords regularly and use a different password for every account (a password manager can help with this).
Protect your devices with up-to-date internet security software.