Cyber Incident Victim: District of Columbia Board of Elections
Date:
Oct 2023
Location:
United States of America
Summary
The District of Columbia Board of Elections experienced a data breach where attackers accessed voter records through a third-party hosting provider's web server, compromising over 600,000 voter records containing both public information and confidential details like partial Social Security numbers, driver's license numbers, and contact information. The agency confirmed the breach did not affect its internal systems, took its website offline, and collaborated with cybersecurity experts and federal authorities for investigation and vulnerability assessments. The stolen data was advertised for sale on the dark web by the RansomedVC group, which provided a sample record as proof, while conflicting reports suggested initial forum listings by another actor before deletion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On October 5, 2023, the District of Columbia Board of Elections (DCBOE) became aware of a cybersecurity incident involving voter records following breach claims by the threat actor RansomedVC. The agency, responsible for overseeing elections and voter registration in Washington D.C., initiated an investigation that revealed unauthorized access occurred through the web server of DataNet Systems, its third-party hosting provider, rather than through DCBOE’s own internal databases or servers. Upon identifying the compromised website as the breach source, DCBOE took the site offline, replacing it with a maintenance page in coordination with the Multi-State Information Sharing and Analysis Center’s Computer Incident Response Team (MS-ISAC CIRT) to contain the incident. The agency collaborated with cybersecurity experts, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS) to conduct a comprehensive security assessment of its systems. Concurrently, DCBOE performed vulnerability scans across its database, server, and IT networks to identify potential security gaps that may have facilitated the attackers’ access. RansomedVC claimed responsibility for the breach, asserting they exfiltrated over 600,000 lines of U.S. voter data from DCBOE.
The threat actor advertised the stolen data for sale on their dark web leak site, though no specific price was disclosed. As proof of authenticity, RansomedVC provided a sample record containing a Washington D.C. voter’s name, registration ID, voter ID, partial Social Security number, driver’s license number, date of birth, phone number, and email address. DCBOE clarified that while certain voter registration data—such as names, addresses, voting records, and party affiliation—is public under District regulations, confidential details like contact information and Social Security numbers are not publicly accessible. An anonymous source reported to BleepingComputer that the same dataset had initially been offered for sale on BreachForums and Sinister.ly by a user named “pwncoder” on October 3, prior to RansomedVC’s claim, though those forum posts were later deleted. RansomedVC’s credibility faced scrutiny due to prior disputes over their breach claims against Sony, where another threat actor, MajorNelson, released conflicting data allegedly from Sony’s systems. Neither the Sony nor the DCBOE data claims were independently verified at the time of reporting.