UK Electoral Commission data breach

On 8 August 2023, the UK Electoral Commission disclosed that hostile actors had been inside its systems since August 2021, in one of the largest known breaches affecting British citizens — touching the personal details of roughly 40 million voters.

What happened

The intruders gained entry by exploiting the ProxyShell vulnerability chain in the Commission's on-premise Microsoft Exchange Server — three flaws (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for which Microsoft had shipped patches in spring 2021. The Commission failed to apply them. Using the flaws, the attackers impersonated a user account and planted web shells, giving them persistent control.

Crucially, the attackers then dwelt undetected for more than a year. Suspicious activity was only spotted in October 2022, and the breach was not made public until August 2023 — a timeline the Commission attributed to the need to remove the actors and assess the damage first.

What was accessed

Reference copies of the electoral registers held by the Commission, containing the names and home addresses of everyone registered to vote in the UK between 2014 and 2022 — an estimated 40 million people, including those registered anonymously (held separately) being excluded.
The Commission's email system and internal control systems were also accessible to the intruders.

The Commission assessed that the data, much of which is partly public, posed limited direct risk and that electoral processes were not affected, since the registers are static copies the attackers could read but not alter.

Regulatory and security findings

In December 2023, the ICO issued a formal reprimand, finding the Commission had failed to patch known vulnerabilities and operated with weak password hygiene — many accounts still used passwords identical or similar to those originally issued by the service desk, leaving them open to guessing.

Attribution

On 25 March 2024, the UK government attributed the intrusion to Chinese state-affiliated actors, naming APT31 and the Ministry of State Security front company Wuhan Xiaoruizhi Science and Technology, and imposing sanctions alongside the United States.

Why it matters

The breach combined a basic patching failure with a year-long undetected dwell time inside a body central to British democracy. It crystallised concern about state-sponsored targeting of electoral infrastructure and pushed UK public bodies toward stricter vulnerability-management and disclosure expectations.

Timeline

August 1, 2021

Hostile actors gain access to the Electoral Commission's network by exploiting the unpatched ProxyShell Microsoft Exchange vulnerability chain.

2021-08 / 2022-10

Attackers dwell undetected for over a year, with access to reference copies of the electoral registers and the Commission's email and control systems.

October 1, 2022

The Commission detects suspicious activity on its network and begins working to remove the intruders and harden its systems.

August 8, 2023

The Electoral Commission publicly discloses the breach, nearly two years after initial access and ten months after detection.

December 1, 2023

The ICO issues a formal reprimand, finding the Commission failed to patch known vulnerabilities and had weak password practices.

March 25, 2024

The UK government attributes the attack to Chinese state-affiliated actors and sanctions a front company and individuals.

Sources

electoralcommission.org.ukhttps://www.electoralcommission.org.uk/media-centre/electoral-commission-subject-cyber-attack

ico.org.ukhttps://ico.org.uk/media2/migrated/4030454/the-electoral-commission-reprimand.pdf

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/uk-govt-links-2021-electoral-commission-breach-to-exchange-server/

techcrunch.comhttps://techcrunch.com/2023/08/09/parsing-uk-electoral-commission-cyberattack/

electoralcommission.org.ukhttps://www.electoralcommission.org.uk/media-centre/electoral-commission-response-cyber-attack-attribution-0

Related incidents

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

RansomwareContainedOctober 28, 2023

British Library Rhysida ransomware (2023)

Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.

Victim: British Library
Loss: $8.5M

Zero-dayResolvedMay 31, 2023

MOVEit Transfer mass exploitation (Cl0p)

Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to mass-extort over 2,700 organizations, including the BBC, British Airways, and the U.S. Department of Energy.

Victim: Progress Software MOVEit Transfer (2,700+ downstream)
Loss: $12.15B
Records: 95.0M

Vulnerability exploitResolvedSeptember 7, 2017

Equifax data breach

An unpatched Apache Struts vulnerability let attackers exfiltrate Social Security numbers, dates of birth, addresses, and driver's license numbers for 147 million U.S., U.K., and Canadian consumers.

Victim: Equifax
Loss: $1.38B
Records: 147.9M