PSNI and UK voter breaches show data risks should be taken more seriously
“It’s brutal. People are wondering if they should resign, or move house, or get fortified gates. You can feel the anger.”
The comment from a former officer in the Police Service of Northern Ireland (PSNI) underlines the real-life consequences of an all-too frequent occurrence: a data breach.
The UK data watchdog received reports of more than 9,000 personal data breaches last year but the vast majority do not generate public debate, perhaps because the impact is not immediately obvious or the population has become inured to a degree of data loss as an everyday cost of modern digital life.
Two incidents this week will have made people think again about what is happening with their data.
On Tuesday the PSNI, in a bungled response to a freedom of information (FoI) request, released an Excel spreadsheet containing details of more than 10,000 officers and employees. It was published on an FoI website called WhatDoTheyKnow for about two and a half hours before the PSNI realised the error and had it removed.
On the same day, the Electoral Commission revealed it had been hit by a cyber-attack resulting in the assailants accessing the names and addresses of anyone in the UK registered to vote between 2014 and 2022, equating to the data of 40 million people.
The security threat implicit in the PSNI breach is clear, after the force’s chief constable said on Thursday dissident republicans claimed to possess some of the information. In February masked gunmen seriously wounded a senior officer in Omagh, County Tyrone. A PSNI board member said this week that further attacks may follow in the wake of the breach.
The consequences for the breach at the Electoral Commission, an independent body that oversees UK elections, are less clear. It says it does not know whether the data accessed by the attackers, primarily reference copies of the electoral registers, has been downloaded. It also said its email system was breached, meaning any data contained in emails to the commission – such as email addresses, images of documentation and phone numbers – could have been taken.
The identity of the cyber-attackers is not known, but the commission has described it as a “complex” attack and former UK spy heads have said Russia, with its record of attempted electoral interference, is a strong suspect.
Working on the assumption that the electoral register copies have been taken, some experts say the data could be combined with other available data to profile users and potentially target them with, for instance, artificial intelligence-generated disinformation around election time.
Harjinder Lallie, a senior academic in cybersecurity at the University of Warwick, describes the information exposed in the Electoral Commission hack as the potential building blocks for a manipulation campaign, operated by a hostile state, that could be targeted via email, post, WhatsApp groups or social media platforms.
“As far as state actors are concerned the building blocks to enable them to build [disinformation] campaigns are names and addresses. It helps identify people in terms of race, possibly in terms of their financial circumstances, and if combined with other means of data gathering, such as social media profiles, state actors can use that information to build neo-electoral campaigns,” he says.
The commission has moved to reassure voters about the integrity of the largely paper-based electoral system and that much of the data exposed is “already in the public domain” – for instance people, organisations and companies can already buy the open electoral register, which contains the same information.
And while some experts have said the data could be allied with the power of generative AI – tools that can mass produce plausible text, images and even voice – to make and send misleading communications at scale, others say this would be ambitious even for a hostile state.
John Hultquist, the chief analyst at cybersecurity firm Mandiant, said this week that intrusion into an electoral network was “not tantamount to manipulation of the vote”. He added, however, that the data could be targeted for different reasons, such as “assembling this information into a database that can be used to identify, track, and even exploit persons of interest”.
Personal information is available publicly (on social media profiles, for instance) or on the dark web, the term for areas of the internet accessible only via a specialised web browser. A cursory check on sites such as https://haveibeenpwned.com/ can show whether people’s emails, and other data, has been exposed in breaches.
Caroline Carruthers, who runs a data consultancy and is a former chief data officer at Network Rail, says data on people could be available from high-profile breaches such as British Airways in 2018 or from legitimate sources such as data brokers, who compile data about individuals from a number of sources – including the open electoral register – and then sell it to third parties.
She adds that social media profiles alone can offer a trove of information. Carruthers says a former East German national showed her a secret police report of a dinner party attended that was limited to a sheet of paper, whereas a friendship group on Facebook discussing a meal she recently attended contained far more detail.
“There was so much more potentially useful information on Facebook than there was in the Stasi report,” she says.
Carruthers adds that she hopes the PSNI and Electoral Commission incidents galvanise people’s attitudes towards protecting their data from commercial and criminal misuse.
“I would really hope this is a wake-up call. I have grave concerns about how we don’t take our data, and what it is being used for, seriously enough,” she says.