The U.K. Electoral Commission, the body responsible for elections in the country, has disclosed a stunning data breach involving the personal information of anyone who registered to vote in the U.K. between 2014 and 2022 — potentially up to 40 million people.

The “incident” was first identified in October 2022 after suspicious activity was detected in the systems of the commission. Further investigation revealed that “hostile actors” first accessed the systems in August 2021.

Though the form of the attack or how access was gained weren’t disclosed, the attackers gained access to servers that contained emails, control systems and copies of the electoral register. The attackers subsequently access copies of the electoral register, which are claimed to have been held by the commission for research purposes to enable permissibility checks on political donations.

The stolen electoral data included the name and address of anyone who registered to vote between 2014 and 2022 and details of registered overseas voters. As the commission’s email systems were also accessed, the full list of personally identifiable information that may have been stolen included names, email addresses, home addresses, phone numbers, web form information and any personal images sent to the commission.

“We understand the concern this attack may cause and apologize to those affected,” the commission said in a statement today. “Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”

The obvious standout in the disclosure is when and where. The breach occurred in August 2021, was discovered in October 2022 and has only now been disclosed. Suffice as to say the reaction has not been positive, with The Guardian describing the delay in disclosing the breach to the public as putting confidence in the electoral regulator into question.

The Electoral Commission did disclose the attack within 72 hours to the Information Commissioner’s Office as well as the National Crime Agency, but the delay in disclosing the breach to those affected is where concerns have been raised.

“The recent revelation of a data breach affecting the U.K.’s registered voters is deeply concerning, both because of its scale and the significant delay in its disclosure,” Nikhil Girdhar, senior director of data security at unified data control company Securiti Inc., told SiliconANGLE. “This incident underscores the pressing need to evaluate organizational preparedness in both preventing and responding to security threats.”

Photo: secretlondon123/Wikimedia Commons