Security

Cyber-crime

DC elections agency warns entire voting roll may have been stolen

Home of the Republic seemingly hit by Sony/NTT Docomo ransomware crew


The US Capital's election agency says a ransomware crew may have stolen its entire voter roll, which includes the personal information of all registered voters in the District of Columbia.

The DC Board of Elections (DCBOE) first became aware of the intrusion on October 5, when a criminal gang called RansomVC claimed to have broken into a server belonging to DataNet Systems, the agency's website hosting provider, and accessed 600,000 items of US voter data including DC voter records.

According to DCBOE, none of its own internal databases or servers were accessed, but important information was on DataNet's servers.

In a Friday update posted on its website, the voting agency said the break-in now looks worse than it originally thought. During a daily check-in call with DataNet Systems, DCBOE learned - 15 days after the initial attack - that the compromised server "did contain a copy of the DCBOE's voter roll."

"DataNet Systems confirmed that bad actors may have had access to the full voter roll which includes personal identifiable information (PII) including partial social security numbers, driver's license numbers, dates of birth, and contact information such as phone numbers and email addresses," the agency added.

It said the service provider couldn't definitely say "if or when" the incident occurred, or "how many, if any, voter records were accessed." The elections agency says it will now contact all registered voters, and it has also hired Mandiant to assist with the incident response.

"This remains an active and open investigation," the statement said. "DCBOE will release its full findings when they are available." The agency didn't have any further updates as of Monday morning, DCBOE spokesperson, Sarah Winn Graham, told The Register.

DCBOE is also working with law enforcement and federal government agencies including the FBI, the Multi-State Information Sharing and Analysis Center, US Department of Homeland Security, and the Office of the Chief Technology Officer to investigate the breach.

Upon learning of the incident in early October, the elections agency took down its website and started scanning its database, server and IT networks for vulnerabilities.

While the website remains down, with a message telling visitors it is undergoing maintenance, "voter registration remains open, active, and secure for District of Columbia residents," according to DCBOE.

RansomVC, aka Ransomed.vc, is a new extortion crew that emerged in September and claimed to have breached Sony and Japanese cell carrier NTT Docomo. ®

Send us news
13 Comments

China's Salt Typhoon cyber spies are deep inside US ISPs

Expecting a longer storm season this year?

Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says

Feds reach for sliver of crypto-cash nicked by North Korea's notorious Lazarus Group

A couple million will do for a start … but Kim's crews are suspected of stealing much more

Scammers in the slammer for years after ripping off Apple with fake iPhone returns

Duo must also cough up $1.5M for pulling off multi-million-dollar exchange swindle

DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks

Winter is coming

Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant

Crooks 'like a sysadmin, with a malicious slant'

Australian e-tailer digiDirect customers' info allegedly stolen and dumped online

Full names, contact details, and company info – all the fixings for a phishing holiday

Rackspace internal monitoring web servers hit by zero-day

Intruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry

Feds charge 3 Iranians with 'hack-and-leak' of Trump 2024 campaign

Snoops allegedly camped out in inboxes well into September

'Cybersecurity issue' takes MoneyGram offline for three days – and counting

Still no ‘R’ word, but smells like ransomware from here

Move over, Cobalt Strike. Splinter’s the new post-exploit menace in town

No malware crew linked to this latest red-teaming tool yet

Valencia Ransomware explodes on the scene, claims California city, fashion giant, more as victims

Boasts 'appear to be credible' experts tell El Reg