Investigators have determined that the District of Columbia Board of Elections (DCBOE) data breach leaked the entire voter roll.
DCBOE became aware of the incident on October 6, a day after a Russian ransomware group RansomedVC claimed to have breached the board and accessed 600,000 lines of US voter data.
The Elections Board conducted a preliminary investigation and confirmed that the hacking group had compromised a server operated by hosting provider DataNet Systems. DCBOE also conducted a vulnerability assessment and IT audit and determined that no internal databases or systems were compromised.
Subsequently, the agency deactivated the website and began a comprehensive probe with the federal agencies, the FBI, the Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Computer Incident Response Team (CIRT), DHS, and the Office of Technology Officer, to determine the scope of the incident.
“DCBOE continues to assess the full extent of the breach, identify vulnerabilities, and take appropriate measures to secure voter data and systems” DCBOE said.
DCBOE also noted that potentially leaked personal details such as names, addresses, voting records, and political party affiliations were public records unless specifically protected.
The DC Election Board data breach leaked the entire voter roll
The DC Board of Elections has determined that the hacking group responsible for the breach obtained voters’ data, including DC voter records.
“Today, DCBOE learned the full voter roll MAY have been accessed in the breach of DataNet Systems’ database server,” the agency tweeted on October 20.
The agency also determined that the “breached database server did contain a copy of the DCBOE’s voter roll.”
The voter roll contained extensive DC voters’ personally identifiable personal information that could be abused to execute phishing attacks.
“DataNet Systems confirmed that bad actors may have had access to the full voter roll which includes personal identifiable information (PII) including partial social security numbers, driver’s license numbers, dates of birth, and contact information such as phone numbers and email addresses,” DCBOE added.
However, the agency could not determine how many records were extracted from the compromised server. DCBOE’s previous assessment had suggested that fewer than 4,000 voters were impacted.
Investigations into data breach ongoing
DCBOE’s assessment had indicated that the data originated from voters who participated in its canvassing process between August 9, 2019, and January 25, 2022.
“The fact that DataNet Systems can’t say with any certainty when the data was accessed or for how long is also worrisome and makes me wonder if they were missing key security controls to protect such sensitive data,” said Ken Westin, Field CISO at Panther Labs.
Meanwhile, the DC Board of Elections promised to reach out to all registered voters and alert them of the data breach. Similarly, DCBOE will engage Google’s cybersecurity consulting firm Mandiant, to assess the scope of the data breach and decide on the next steps.
Nevertheless, the voter roll breach did not affect the voter registration process. Individuals can still register to vote online or in person while the board continues to restore the affected website.
Election bodies are targets of nation-state cyberattacks intended to cause domestic instability and undermine adversaries’ government institutions.
In 2017, voting systems in at least 21 states suffered data breaches in a suspected Russian hacking campaign to undermine public confidence in US elections and weaken democracy. Bloomberg reported that up to 39 states were impacted.
“Given this is data of DC residents and the ransomware group responsible are out of Russia, there is a likely chance this information can end up in the hands of Russian intelligence,” Westin cautioned.