Data Breach

March 19, 2024 update:

As of March 19, 2024, the DC Board of Elections continues to work with its federal and local partners to assess what DC voter information, if any, was accessed and shared during the October 2023 data breach. In addition, DCBOE continues to monitor its systems to identify potential cybersecurity threats and/or vulnerabilities. DCBOE will share updates as they become available.

December 26, 2023 update:

Between December 20 and December 24, 2023, DataNet Systems sent out an email notification to District of Columbia registered voters whose voter data may have been part of the October data breach. The notification provided steps that voters can take to protect their personal information, including details about credit reporting and monitoring. To learn more, visit DataNet’s website at https://www.dnscorp.com/data-breach.

Have Questions? 

If voters have questions or think they may be impacted, they may reach out to DataNet at (888) 817-5125, Monday through Friday from 9 am - 9 pm Eastern Time or visit https://response.idx.us/datanet/.

October 20, 2023 update:

On Friday, October 20, during a daily morning check-in call with DataNet Systems, DCBOE learned that:

• DataNet Systems’ breached database server did contain a copy of the DCBOE’s voter roll.
• DataNet Systems confirmed that bad actors MAY have had access to the full voter roll which includes personal identifiable information (PII) including partial social security numbers, driver’s license numbers, dates of birth, and contact information such as phone numbers and email addresses.
• DataNet Systems could not pinpoint if or when this file may have been accessed or how many, if any, voter records were accessed.

Out of an abundance of caution, DCBOE will reach out to all registered voters. In addition, DCBOE will be engaging with Mandiant, a cybersecurity consulting firm, to assist with next steps.

This remains an ongoing and active investigation.

What Can A Voter Do Now?

This remains an active and open investigation. DCBOE will release its full findings when they are available.

DCBOE is committed to full transparency with the public and will contact DC voters about next steps.

In the meantime, residents are encouraged to follow DCBOE on social media for updates. For immediate concerns, residents may email inquiries to [email protected].

Is it safe to share information with the DCBOE?

Yes. Voter registration remains open, active, and secure for District of Columbia residents.

Overview:

On October 5, 2023, the District of Columbia Board of Elections (DCBOE) became aware that a hacking group known as RansomVC claimed to have breached DCBOE’s records and accessed 600,000 lines of US voter data, including DC voter records.

DCBOE has found that voter records were accessed through a breach of the web server of DataNet Systems, DCBOE’s website hosting provider. No internal DCBOE databases or servers were directly compromised.

DCBOE continues to assess the full extent of the breach, identify vulnerabilities, and take appropriate measures to secure voter data and systems.

Investigation steps taken by the DCBOE:

October 6, 2023: Initial Investigation steps:

• DCBOE initiated an internal assessment and began working with its data security and federal government partners to investigate the breach. These partners include, but are not limited to, the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Federal Bureau of Investigation (FBI), Homeland Security (DHS), and the Office of the Chief Technology Officer (OCTO). DCBOE is collaborating with MS-ISAC’s Computer Incident Response Team (CIRT) to resolve the issue.
• DCBOE took down its website and replaced it with a maintenance page upon learning that its website was the source of the breach.
• DCBOE conducted vulnerability scans on our database, server, and other IT networks.

October 10, 2023 update:

• DCBOE continued to work with the Multi-State Information Sharing and Analysis Center (MS-ISAC)’s Computer Incident Response Team (CIRT) to conduct a forensic analysis of the data set to determine the specific DC voter data that is contained in the records. DCBOE will share the full report when it is available.
• DCBOE continued to monitor internal databases/servers and conduct network vulnerability scans to ensure the safety of DC voter data.
• DCBOE’s website remained down and in maintenance mode.
• DCBOE shared updates on social media and press.

October 16, 2023 update:

• DCBOE continues to work with the Multi-State Information Sharing and Analysis Center (MS-ISAC)’s Computer Incident Response Team (CIRT) on a forensic analysis of the data set.
• This initial preliminary analysis found that the data breach contained fewer than 4,000 voter records.
• The records were from August 9, 2019 to January 25, 2022 and contained information from voters who participated in DCBOE’s canvass process, which is conducted every odd-numbered year to ensure the voter roll is up-to-date.
• DCBOE received MS-ISAC’s full analysis report and began reviewing. After internal review, DCBOE announced it would share what exact voter information was accessed and will contact individuals that are impacted.
• DCBOE’s website remained down and in maintenance mode. However, it remained safe and secure to register to vote online.

Press Releases:

• DCBOE Responds to Voter Information Data Breach (October 6, 2023)
• UPDATE: DCBOE Voter Information Data Breach Investigation, Website Status (October 10, 2023)
• DCBOE Shares Preliminary Information on Data Set Contents (October 16, 2023)
• DCBOE Data Breach Update: Possible Access to Voter Roll (October 20, 2023)
• DCBOE Shares Update on Email Outreach to Voters about October 2023 Data Breach (December 27, 2023)