The UK Electoral Commission is grappling with severe criticism over its belated acknowledgment of a sweeping cyber intrusion that laid bare confidential information linked to 40 million voters.

The Commission identified the breach in October 2022 but delayed announcing it publicly until August 2023. During the period of the breach, which extended back to August 2021, the attackers had access to the Commission’s email servers, control systems, and copies of the electoral registers.

The breach was reported within 72 hours to the UK Information Commissioner’s Office (ICO), as well as the National Crime Agency.  However, the Commisssion chose to withhold this information from the public for 0 months, sparking doubts about transparency, data integrity, and the entity's capacity to manage such incidents effectively.

News about the breach finally emerged through a public notice posted on the Commission’s official Web site. According to the notice, the incident was initially identified in October of the previous year when the agency's internal systems flagged unusual activities. It subsequently transpired that unauthorized parties had illicitly accessed the systems as early as August of the year prior.

“The registers held at the time of the cyber-attack include the name and address of anyone in Great Britain who was registered to vote between 2014 and 2022, the names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018. “

The breach included full names, email addresses, residential locations, contact telephone numbers, content from web forms, and conceivably personal images submitted to the authority.

Although the Commission stated that “The electoral register data held by the Commission has not been amended or changed in anyway as a result of the attack and remains in the form in which we received it. The data contained in the registers is limited, and much of it is already in the public domain.“

“The personal data held on the Commission’s email servers is also unlikely to present a high risk to individuals unless someone has sent us sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details. Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.”

While the electoral register is able to be inspected by the public this can only be done via electoral registration officers, and only handwritten notes are permitted. The data is not allowed to be used for commercial or marketing purposes.

The tardy revelation of the breach has sparked widespread concern. The digital advocacy group Open Rights Coalition (ORC) vented its displeasure on social media, contending that the undisclosed breach had exposed individuals to the perils of fraud, identity theft, and the potential targeting of homes.

Commission Chair John Pullinger voiced support for withholding information for 10 months, highlighting the potential hazards associated with untimely disclosure prior to addressing security vulnerabilities.

The revelation of the data breach comes as the UK considers replacing traditional paper ballots with an e-voting system. Shaun McNally, Chief Executive of the Commission, claims that maintaining traditional methods will make it harder for cyber-attacks to influence election outcomes.