Steil, Lee Send Letter to D.C. Board of Elections Amid Voter Information Breach
Letter
Dear Board Members:
As Chairman of the U.S. House of Representatives Committee on House Administration, which has broad oversight of our nation's federal elections, I write today to express my deep concerns over the breach of the D.C. Board of Elections ("Board") voter database on October 5, 2023, which included the exfiltration of a copy of the voter registration roll and the subsequent sale by malicious actors of sensitive voter identification information.
This breach is especially troubling because it appears that the Board did not realize its full extent until two weeks later. For Americans to have confidence in our elections, they must have reason to believe that voter databases and voter information are safe, secure, and not susceptible to malicious access or manipulation.
Unfortunately, this hack raises the possibility that malicious actors could replace voters' information replaced with false information, including improper removal of voters from the rolls, improper additions of ineligible individuals or false names to the rolls, or improper or false markings about a voter's ballot return status, which might allow bad actors to prevent certain voters from casting ballots, allow other voters to cast multiple ballots, or permit ineligible people or false names to cast ballots.
Finally, even if none of these worst-case scenarios is realized, this data breach and other recent breaches in Washington might very well create a bad perception among voters that elections in the District of Columbia are not be secure, reducing both voters' confidence in the election system and their likelihood of participation.
The Committee has continued its strong focus on cybersecurity this Congress, including oversight of a recent cyber attack on another D.C. government-affiliated entity earlier this year that resulted in the theft of the sensitive personal identification information of Members of Congress, staff, and family members. In April, the Committee held a joint hearing with the Committee on Oversight and Accountability with respect to this breach of D.C.
Health Exchange systems. As such, this breach of the Board's records makes this leak at least the second time this year that D.C. government systems were breached by malicious actors. This is unacceptable.
In response to these facts, please answer the following questions:
1. What steps has the Board taken to investigate the cause of the breach?
2. Did the Board conduct a review of its information technology infrastructure when it learned about the D.C. Health Exchange breach?
a. If not, why not?
3. How and when did the Board notify voters affected by the breach?
4. What steps is the Board and/or the D.C. Attorney General taking to investigate whether this information was purchased on the dark web?
5. Has the Board conducted a review of its information technology infrastructure following this breach?
6. What new policies, procedures, and technological improvements will be implemented to ensure this
does not happen again?
7. What is the Board's strategy to ensure voters' confidence in elections held within the District of
Columbia does not suffer?
8. Has the Board confirmed that there were no changes made to voter information in its voter database?
a. If not, what steps does the Board plan to take to look into this matter?
9. Given that this hack occurred on October 5, 2023, and DataNet Systems identified individuals affected on November 20, 2023, why did the Board and DataNet Systems wait until December 22, 2023 to notify affected voters and the public?
Please direct all correspondence and any questions you may have by January 18, 2024, to Caleb Hays, General Counsel and Deputy Staff Director, at Caleb.Hays@mail.house.gov.
Source