There are lots of threads for individual data breaches, but cumulatively they tend to just take over whatever the current active privacy/security/password manager thread is at the time.
So I thought I’d make a general one for this new breach to serve as a bit of a dumping ground for sharing future data breaches, akin to the permacrises thread.
I think it’s an important topic to have given how closely linked these things can be to identity theft, and fraud, and the impact that can have on our financial lives.
The electoral commission suffered a data breach in October last year after hackers got unauthorised access to their systems. They are only informing us about this today.
They got access to quite a bit, but most prominently were the electoral registers containing the names and addresses of everyone registered to vote between 2014 and 2022. I can’t understate the significance of that.
Tweets to follow…
Maybe. Didn’t come up when I searched for data breaches. Could use a more effective wiki title.
Surely there ought to be some level of compensation due for customers whose data is being stolen left right and centre from companies/organisations that think an Excel file encrypted with Password123 is sufficient security.
Whilst not usernames and passwords, this is about as bad as it gets.
The data isn’t that much more revealing than the telephone directory, is it? So, for most people, this is probably of little consequence.
That said, there will be people who have very good reasons for not wanting their address published, and may have gone to great lengths to hide it, so will be interesting to see how they might be compensated (because in a tiny number of cases I’d think the damages could be enormous).
It’s yet another reminder that cybersecurity is vital, and we’re not doing enough…
Edit: actually, it looks like the anonymous list hasn’t been breached, which would limit the damage quite significantly
What’s strange is they say the exact opposite. In fact the whole article sounded like a teenager who didn’t hand their homework in on time having to apologise to the rest of the class.
Found out in Oct last year that someone 15 months earlier (!) had accessed the systems and only now reporting about it.
Does this mean that a GE is coming up and they want to admit to this now before the parties start their campaigns. Why else wait so long to put this out
Really not that big imo, seems to just be the public electrical roll that was taken? All publicly available anyway?
For those on the edited register it isn’t. The data they had access to is public data. For those like me who aren’t on the edited register it’s a pretty big deal and it’s pissed me off.
If you’re on the edited register no. If you aren’t, well your information won’t be in the telephone directory, so it’s very revealing. I opt out of the edited for a very specific reason, and this breach violates it.
I suspected someone was illegally accessing my data from full register a few years back and had a pretty heated row with the commission over it.
No, it’s the full register they had access to. By Sky’s estimation that’s the information of 28 million people that wasn’t public despite the commission’s claims implying most people are on the edited register.
The Electoral Commission said the data for most of these people would have been publicly accessible anyway because they are on the open register.
But almost 28 million people opted out of the open register that year, according to a Sky News analysis.
I know not in the same vain, but this is also pretty staggering! Data breach identifies thousands of police officers in Northern Ireland
As a public sector worker, I would feel incredibly at risk if some of my customers found out where I lived!
It is a horrific leak of data from an area that, while not quite as dangerous as it was in the '90s and earlier, is still particularly sensitive. However:
The report I read (not the one you linked to as that was paywalled for me) explicitly said that home addresses were not part of the leak. Any mention of location would refer to where they worked, not where they lived.
Here’s the BBC Version. Addresses aside this could have serious consequences considering the arena the NI police operate in.
What’s next. Feels less random and more testing the waters.
99% sure the full register is public too. You can visit your council office and ask to see it.
It is fully public… just not available online or for sale like the open register:
The full Register of Electors lists the names and addresses of all those registered to vote in public elections and is open to public inspection.
Yes but there are very strict laws and regulations which govern that access and what you can use it for. It’s an unlimited fine if you violate them.
The person inspecting the register has to provide their identity, and the council can then supply that to me if I ask for it.
I still don’t like it, but it’s the best I’m afforded. It’s largely why we have to have an anonymous one too, to protect those in witness protection or victims of domestic violence.
Yes I agree. There feels like an extremely wide gap between ‘open to the public’ as in, ‘any member of the public can visit the relevant local council office for a very limited time, look at it and make some handwritten notes’ vs ‘the entire national register is now somewhere online in a huge downloadable list’.
I don’t know why either of these are being reported as breeches. Because neither of these would be in my books.
The first one was an accidental release of data and this second one is just poor data control measures.
Seems exceptionally poor to be so lax with this information.
You’ve just described exactly what a data breach is.
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill.
It doesn’t have to be malicious to count as a breach. The only requirement is for protected data to be accessible to unauthorised persons be that through malicious acts, lax controls or paranormal activity.