UK officials have disclosed that hackers got access to electoral rolls, email, and other data in 2021 and stayed in the system until 2022, when their presence was discovered. It is not clear why the government waited nearly a year to disclose the attack, during which the perpetrators were able to access voter data going back to 2014. During an age when most countries are extremely sensitive about election security, this is undoubtedly a troubling event for UK officials.
Why It Matters
Most "best practices" advice would tell you that if you discover an attack on your network, you need to disclose it to stakeholders within a matter of days or weeks...not a year. There likely were additional sensitivities to this investigation that precluded making it public before now (there are indications that this was carried out by a foreign intelligence agency, thus raising national security issues). However: don't use the UK officials' timetable as any kind of guideline about breach reporting.
Instead, follow their example and be transparent about the facts of the situation when you do disclose it: tell stakeholders what was taken (or what was accessible), how long the bad guys were in your system, when the attack started and ended, and other material matters. The regulators here have gone a step further and identified ways in which voter data might be used by threat actors. You do not need to do that, but you should count on disclosing more than you may be accustomed to in a commercial setting. This is not the time to keep secrets.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-09-02-16-51-11-418-66d5ecff75128dc1466c94ac.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-11-15-14-55-15-714-673760d3d0763092c0219f9d.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-11-14-18-24-27-197-6736405b1e2d60506ae65a6d.jpg)