In the wake of the revelation that a hostile cyber-attack between February and May of last year was able to access the data of 40 million voters without being detected, along with the lack of notification to the public for about ten months, public confidence in the UK's electoral regulator has been sorely tested. 

It is estimated that the personal information of approximately 40 million U.K. voters has been vulnerable for over a year – as a result of the Electoral Commission falling victim to a complex cyberattack. It has been reported that in October 2022, the Electoral Commission noticed suspicious activity on its network and confirmed that it had detected it. 

The Electoral Commission is responsible for supervising elections in the country. Unidentified "hostile actors," however, gained access to the company's systems over a year earlier, in August 2021, and it was later revealed that the company had been compromised by such actors. 

There have been reports to the Information Commissioner's Office (ICO) as well as the National Crime Agency that the attack was detected within 72 hours after it was reported to them. An intrusion allowed unauthorized access to the servers of the Commission, which house email, control systems, and copies of the electoral registers that the Commission maintains for research purposes, having enabled the intrusion to become successful. It is currently unknown who the intruders are and where they came from.

However, the Commission did tell the BBC and The Guardian that it delayed this disclosure by another 10 months to prevent the adversary from getting access to the network, investigate the extent of the breach, and enforce security safeguards. It is not clear why the disclosure was delayed by another 10 months. 

As noted in the report, the Commission noted that the data that can be accessed is also able to be combined with information that is publicly accessible to "infer patterns of behaviour or to identify and profile individuals and groups of individuals." 

Furthermore, it said that the attack had no impact on the electoral process or the electoral registration status of any voters and that there is little risk to people in terms of their details held on the email servers of the company, except that they contain any sensitive information. 

Among the names and addresses included in the registers were those of a person residing in the United Kingdom, who will be eligible to vote between 2014 and 2022, as well as the names of those who plan to cast their ballots from outside of the United Kingdom. 

Nevertheless, they did not contain any information regarding those who qualified for anonymous registration as well as addresses for overseas electors who were registered outside of England and Wales. An attack was discovered by the Information Commissioner's Office (ICO) and the National Crime Agency within 72 hours of being discovered last October.

As a result, the ICO immediately reported the incident to both entities. Despite this, it was only recently disclosed to the public that millions of voters' data may have been if not all, accessible through the election registers over the last several years. 

There is no conclusive way that the Electoral Commission can determine what information had been accessed. The attackers are unknown to have been associated with a hostile state, such as Russia, or with a cyber gang that offers a criminal nature. 

The Electoral Commission has said that the records of most of these people would have been publicly accessible anyhow because they were on the open register, to begin with. However, a Sky News analysis reveals that about 28 million people missed out on the open registration system that year, as a result of their own decisions.