The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. 

DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Its investigation into the claims has revealed that the attackers accessed the information through the web server of DataNet, the hosting provider for Washington D.C.'s election authority.

Notably, the breach did not involve a direct compromise of DCBOE's servers and internal systems.

"On 10/5, DCBOE became aware of cybersecurity incident involving DC voter records. While the incident remains under investigation, DCBOE's internal databases & servers were not compromised," the agency said.

In close cooperation with MS-ISAC's Computer Incident Response Team (CIRT), DCBOE took down its website and replaced it with a maintenance page to contain the situation after identifying it as the source of the breach. 

Since the discovery of the incident, the election board worked with data security experts, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS) to conduct a comprehensive security assessment of its internal systems.

Additionally, DCBOE initiated vulnerability scans across its database, server, and IT networks to identify potential security issues that might have facilitated the attackers' access to the stolen information. 

IMPORTANT: On 10/5, DCBOE became aware of cybersecurity incident involving DC voter records. While the incident remains under investigation, DCBOE’s internal databases & servers were not compromised. Our full statement is pictured below & will be available on our website soon. pic.twitter.com/VCuhXOJLqK

— DC Board of Elections (@Vote4DC) October 6, 2023

Stolen data up for sale on the dark web

RansomedVC alleges that the recent incident resulted in the theft of over 600,000 lines of U.S. voter data, encompassing records of D.C. voters.

"We have successfully breached the District of Columbia Board Of Elections and have gotten more than 600k lines of USA Voters," the threat actor says.

The stolen information is currently being offered for sale on the threat actor's dark web leak site, but the exact price is undisclosed.

As verification of the data's authenticity, RansomedVC has provided a single record containing what it claims to be the personal details of a Washington D.C. voter.

This dataset includes the individual's name, registration ID, voter ID, partial Social Security number, driver's license number, date of birth, phone number, email, and more. 

"It should be noted that in the District of Columbia, some voter registration data-such as voter names, addresses, voting records, and party affiliation-is public information, unless it has been made confidential in accordance with District of Columbia rules and regulations," the Washington election authority said in its statement.

However, election authorities do not provide access to confidential information such as voters' contact information and SSNs.

RansomedVC told DataBreaches.net, who first reported the data leak on Thursday, that the stolen voter records would be sold to a single buyer. 

Known for controversial claims

While RansomedVC has claimed the breach and is now selling the data on their leak site, an anonymous source said on October 3rd that DCBOE's stolen database was first put up for sale on the BreachForums and Sinister.ly hacking forums by a user named pwncoder (those posts have since been deleted).

As it was told, the data was dumped from a stolen MSSQL database and contained the information of more than 600,000 D.C. voters. 

Recent claims made by RansomedVC to have breached Sony's systems and stolen over 260GB of files (with a 2MB leaked archive as evidence) were disputed by another threat actor who identifies as MajorNelson.

The latter party released a 2.4 GB archive of files on BreachForums, allegedly taken from Sony's systems.

While the data shared by these attackers seems linked to Sony, the authenticity could not be independently validated of either party's claims.