Hackers obtained the details of tens of millions of British voters in a “complex cyber attack” on the Electoral Commission that went undetected for more than a year, the elections watchdog admitted on Tuesday.

The body said “hostile actors” first breached its network in August 2021, gaining access to its file-sharing and email systems and obtaining copies of the electoral register, but “suspicious activity” was not identified until October 2022.

“We do not know who is responsible for the attack,” the commission said, adding that no groups or individuals had claimed the hack.

The commission said it was “difficult to accurately predict a figure” for how many people’s data had been affected, but it estimates each year’s register holds the details of “around 40mn individuals”. That is likely to make it one of the biggest ever UK data breaches, as measured by the number of people whose information was stolen.

It remained unclear on Tuesday whether the National Cyber Security Centre, the defensive branch of signals intelligence agency GCHQ, which investigated the attack, had identified the culprit.

The NCSC said it had given the commission “expert advice and support to aid their recovery after a cyber incident was first identified”, adding that “defending the UK’s democratic processes is a priority”.

The registers breached included the name, home address and date on which a person reached voting age of all those who registered for a ballot between 2014 and 2022, as well as details of overseas voters. The data of people who registered for a vote anonymously was not accessed.

The hack is the latest in a series of cyber security incidents to affect the public sector this year. Several local and national organisations were caught up in March’s ransomware attack on outsourcing group Capita, while others were hit by wide-ranging hacking spree by the Russian-speaking Clop gang in June, which exploited a vulnerability in the MOVEit file transfer service.

The commission “apologise[d] to those affected” and said it “regrett[ed]” the lack of sufficient protections, but insisted there was little risk of the hackers being able to influence the outcome of a vote or impersonate individual voters

However, it said the data could be matched to other information in the public domain and used to “infer patterns of behaviour or to identify and profile” people.

Shaun McNally, Electoral Commission chief executive, said the attack “highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections”.

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,” he added. “This means it would be very hard to use a cyber attack to influence the process.”

However, a senior western cyber security official sketched out a “nightmare scenario” in which hackers tampered with the versions of the electoral roll they were able to access. “What if there is a dispute between rolls held by different bodies? It’s true that we don’t have electronic voting, but there are ways of causing chaos and lack of trust anyway,” they said.

UK elections are administered by local authorities but the commission said that it had held “reference copies” of the electoral register for research purposes and to enable permissibility checks on political donations.

The hackers also had access to the commission’s email system and “control systems”, the watchdog said. This meant the email addresses and phone numbers of people who corresponded with the commission may have been taken.

The commission did not publicly disclose the data leak until 10 months after discovering the breach. This was because it needed to “remove the [hostile] actors and their access to our system”, assess damage and put in place “additional security measures”, it said.

The Information Commissioner’s Office, to which the commission also reported the breach, said it was “investigating as a matter of urgency”.

Former Tory security minister John Hayes said the authorities “need to establish the source of the attack” as a priority. Questions must be asked about whether it “could have been anticipated” and prevented with “more secure” cyber defences, he said.

Deputy Labour leader Angela Rayner said the “deeply concerning attack” highlighted the “critical importance” of the nation’s resilience to cyber attacks. Lessons must be learned about protecting the UK’s democracy, she added.