WASHINGTON (DC News Now) — The District of Columbia Board of Elections (DCBOE) was hacked. Officials said they became aware of the breach on Oct. 5.
The hacking group known as RansomVC claimed to have breached DCBOE’s records. The group got access to 600,000 lines of U.S. voter data, including D.C. voter records.
“We have seen this threat actor flare up over the last month or so with some pretty brazen allegations of hacking some pretty big brands and extracting, you know, large files of data,” said Shane Sims, former FBI special agent and CEO of cybersecurity firm Kivu Consulting.
DCBOE found that the records were accessed through a breach in its website hosting provider, but no internal DCBOE databases or servers were directly endangered.
“It’s really like, surprising and I would hope that all of this is well-protected and, you know, it’s not,” said D.C. voter Harlen Valenzuela.
After learning of the hack, DCBOE said it took down its website and replaced it with a maintenance page after discovering that the website was the source of the breach. It also did vulnerability scans and started internal assessments while working with data security partners to investigate.
“I think it’s just kind of a bummer to hear that the D.C. local government maybe doesn’t have the best security, and it’s a shame that these things have to happen for them to now start probably prioritizing and trying to do better,” said D.C. voter Luis Burdiel.
In D.C., voter registration data includes voter names, addresses, voting records and party affiliation. That is public information if requested. Still, there is concern about it.
“If you have that, you’re well down the road of being able to commit financial fraud against consumers,” Sims said.
According to the news outlet CyberScoop, someone offered to sell the data in an online forum on Tuesday, which included driver’s license numbers and the last four digits of voters’ Social Security numbers.
Sims said that indicates to him the remaining numbers were blocked out, which is a sign of security control on the website.
He recommended changing passwords online, including email and social media accounts.
“Protect your information, assume that it’s out there and people are trying to commit fraud.”
At-large Councilmember Anita Bonds, chairperson of the Committee on Executive Administration and Labor, which oversees DCBOE, released a statement on the data breach.
“Whenever there is a report of a data breach it must be taken very seriously,” Bonds said. “The DC Board of Elections responded responsibly and moved swiftly after being alerted by a database user that noticed irregularities in the system. The security breach was with one of the DC Board of Elections vendors and not the DC Board of Elections itself.”
D.C. At-Large Councilmember Anita Bonds released a statement after the data breach that said, in part, “Currently, the D.C. Board of Elections website is down, and it will take a few days for it to be restored and available to the public. With next year’s election cycle approaching, I especially appreciate the diligence of all parties to work expeditiously to resolve this incident on behalf of District residents.”
DCBOE is working with the FBI, Homeland Security and other data security partners to investigate what happened.
