Reprimand issued to the Electoral Commission in respect of Articles 5(1)(f) and 32(1)(b). Between 24 August 2021 and 27 October 2022, a threat actor had access to the Electoral Commission’s systems and was able to access personal data held as part of the Electoral Register. This incident impacted approximately 40,000,000 individuals, and the initial access was gained via several unpatched software vulnerabilities. The investigation highlighted that appropriate technical and organisational measures were not in place at the time of the breach.