Social security numbers, driver’s licenses and other personal information of thousands of Americans were stolen from a voter registration agency.
The District of Columbia Board of Elections (DCBOE) revealed that its full voter roll systems were accessed in a data breach this month, allowing hackers to identify specific individuals.
A hacking group known as RansomVC accessed 600,000 lines of data, including DC voter records, and is now selling the data on the dark web.
DCBOE stated it is working with federal government partners, like Homeland Security and the Federal Bureau of Investigation (FBI), to resolve the issue – and has not revealed how significant the hack might be.
The data breach happened on October 5, which saw RansomVC access the web server of DataNet, the hosting provider, DCBOE shared in an October 6 press release.
DCBOE also shared that the stolen data came from voters participating in its canvas process from August 9, 2019 to January 25, 2022.
But, the agency claims fewer than 4,000 voters were impacted.
While a majority of the information is public record, such as address and political affiliation, partial social security numbers and driver’s licenses were accessed – enough information for hackers to piece together individual identities.
‘Once reviewed internally, DCBOE will share what exact voter information was accessed and will contact individuals that are impacted,’ a statement from the board said.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the potential for breaches of this kind to enable further criminal activity.
‘As always, these sorts of data breach incidents invite malicious actors to be able to create more specific spear phishing emails where potential victims are contacted by a sender who purports to be a legitimate contact,’ Grimes said.
‘The inclusion of stolen details allows the attacker to appear more legitimate than if they did not have the stolen data.
‘And spear phishing emails are far more likely to compromise potential victims than a general phishing email with no private details about the victim.’
DCBOE said it plans to contact all registered voters shortly and work with cybersecurity consulting firm Mandiant for the next steps.
The agency has shut down its website until further notice but shared that DC residents are safe to register to vote.