3. Why did it take so long for us to hear about it?
Technically, the Electoral Commission fulfilled its legal obligations under the UK GDPR. It told the ICO about the breach within 72 hours of discovery, and set about remediating it.
Article 34 of the GDPR says a data subject - that is, anyone affected by a breach - must be informed "without undue delay" if the breach "is likely to result in a high risk to the rights and freedoms of natural persons."
The Commission judged that the accessed personal data "does not pose a high risk to individuals." It makes it clear that it is notifying people now because of the data volume, rather than its sensitivity.
However, this is far from the norm. Even when personal data was not accessed, or was not judged to be of high risk, the de facto standard now is to tell data subjects at the same time as the regulator. Why the Electoral Commission failed to do so is unknown.
Mark Ridley, an experienced CIO and director at Ridley Industries, disagreed with the Commission's judgement of the data's sensitivity.
"If I had the information and was a sneaky hacker, I'd be thinking firstly that I could do lots of nice phishing with the electoral register data, pretending to be from a number of government agencies.
"Secondly, if it was all the mailboxes in all the past and current employees, there would be an absolute treasure trove of employee and external information to mine... That would mean anyone/everyone should be very suspicious of any email or physical mail they receive from the government for a while."
Dewi Price, CIO at Inizio Digital and formerly of institutions including Open University, Thames Water and Imperial College London, asked, "If they knew about the breach in October 2022, why has it taken 10 months to provide notification? The excuse that they 'had to remove the actors and their access" and "put additional security measures in place" points to a very cumbersome technology estate and worrying lack of responsiveness."
The breach timeline - dating to August 2021 but not being discovered until October 2022 - points to a less-than-annual security review. Questions must be asked: is this acceptable for central government?