Data Breach at DC Board of Elections Exposes Voter Information

Introduction

The District of Columbia Board of Elections (DCBOE) has announced that a web server operated by DataNet Systems hosting provider was breached in early October, potentially exposing the personal information of all registered voters in the district. The breach has raised concerns as it may have compromised a comprehensive voter roll containing various personally identifiable information (PII) including driver’s license numbers, dates of birth, partial social security numbers, and contact details such as phone numbers and email addresses.

The DCBOE has taken immediate action by engaging with the cybersecurity consulting firm Mandiant to assist in the incident response process. Additionally, the board plans to reach out to all registered voters to ensure their awareness of the breach and the potential risks associated with the exposure of their personal information.

Website Breach and Response

The breach came to the attention of the DCBOE on October 5, 2023, after a threat actor known as RansomVC claimed to have stolen 600,000 lines of U.S. voter data, including the voter records of Washington D.C. residents. Following the discovery, the DCBOE collaborated with MS-ISAC’s Computer Incident Response Team (CIRT) to promptly take down their website, which was identified as the source of the breach. The website was temporarily replaced with a maintenance page to mitigate the impact of the incident.

An investigation into the breach revealed that the attackers gained unauthorized access to the information through the web server of DataNet, the hosting provider for Washington D.C.’s election authority. It is important to note that no DCBOE databases or servers were directly compromised during this incident.

The DCBOE is actively working with external security experts, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS) to investigate the breach thoroughly. The primary objectives of the investigation are to assess the extent of the breach, identify the vulnerabilities exploited, and implement enhanced security measures to protect voter data and systems.

Stolen Data and Dark Web Activity

RansomVC, the threat actor responsible for the breach, claims to have successfully penetrated the District of Columbia Board Of Elections and acquired over 600,000 lines of USA voter data. The stolen data includes personal information such as names, registration IDs, voter IDs, partial Social Security numbers, driver’s license numbers, dates of birth, phone numbers, and email addresses. The threat actor has made the stolen data available for sale on the dark web, but the price remains undisclosed.

While RansomVC is currently the only threat actor selling the data, it was reported that a user named pwncoder initially offered the stolen DCBOE database for sale on hacking forums such as BreachForums and Sinister.ly. However, those posts have since been removed, leaving RansomVC as the sole seller of the compromised data.

Additional Claims and Uncertainty

In addition to the DCBOE breach, RansomVC has made claims regarding unauthorized access to Sony’s servers and the theft of over 260GB of files. However, these claims have been challenged by another threat actor known as MajorNelson, who released a separate archive of files allegedly taken from Sony’s systems. The authenticity of these claims has not been independently verified by BleepingComputer or any other reliable source.

Conclusion

The data breach at the DC Board of Elections has exposed the personal information of registered voters in the District of Columbia. The DCBOE is actively investigating the incident with the support of external security experts and law enforcement agencies. Steps are being taken to safeguard voter data and systems, including engaging with cybersecurity consultants and reaching out to affected individuals. It is crucial for all registered voters to remain vigilant and take necessary precautions to protect their personal information in the wake of this breach.