The D.C. Board of Elections appears to have revised its estimate of how much data was accessible to a threat actor who listed it for sale on a dark web site. The listing had claimed to have 600k lines of voter registration records from the D.C. Board of Elections, but a preliminary statement by the D.C. BOE claimed that there were fewer than 4,000 registered D.C. voters whose data was accessed or acquired from DataNet Systems’ database.
Today, the D.C. BOE issued another update that seems consistent with the threat actor’s claims:
Washington, D.C.— The District of Columbia Board of Elections (DCBOE) provides the following update on the voter data breach:
On Friday, October 20, during a daily morning check-in call with DataNet Systems, DCBOE learned that:
- DataNet Systems’ breached database server did contain a copy of the DCBOE’s voter roll.
- DataNet Systems confirmed that bad actors MAY have had access to the full voter roll which includes personal identifiable information (PII) including partial social security numbers, driver’s license numbers, dates of birth, and contact information such as phone numbers and email addresses.
- DataNet Systems could not pinpoint if or when this file may have been accessed or how many, if any, voter records were accessed.
Out of an abundance of caution, DCBOE will reach out to all registered voters. In addition, DCBOE will be engaging with Mandiant, a cybersecurity consulting firm, to assist with next steps.
This remains an ongoing and active investigation. DCBOE will continue to share updates on social media and its website, which is currently live but still being updated.
Residents may also email any inquiries or questions to questions@dcboe.org.