WASHINGTON - Today, Committee on House Administration Chairman Bryan Steil (WI-01) and Subcommittee on Elections Chair Laurel Lee (FL-15) sent a letter to the D.C. Board of Elections over concerns about a breach of the voter database on October 5, 2023. Included in this breach was a copy of the voter registration roll and the sale by malicious actors of sensitive voter identification information.

The Board did not realize the full extent of the breach until two weeks later and waited 2.5 months to notify affected registrants. This hack raises the possibility that malicious actors could replace voters’ information with false information. This includes improper removal of voters from the rolls, improper additions of ineligible individuals or false names to the rolls, or improper or false markings about a voter’s ballot return status, which might allow bad actors to prevent certain voters from casting ballots, allow other voters to cast multiple ballots, or permit ineligible people or false names to cast ballots.

In response, Chairman Steil and Subcommittee Elections Chair Lee have asked the Board to answer the following questions: 

1. What steps has the Board taken to investigate the cause of the breach?

2. Did the Board conduct a review of its information technology infrastructure when it learned about the D.C. Health Exchange breach?

a. If not, why not?

3. How and when did the Board notify voters affected by the breach?

4. What steps is the Board and/or the D.C. Attorney General taking to investigate whether this information was purchased on the dark web?

5. Has the Board conducted a review of its information technology infrastructure following this breach?

6. What new policies, procedures, and technological improvements will be implemented to ensure this does not happen again?

7. What is the Board’s strategy to ensure voters’ confidence in elections held within the District of Columbia does not suffer?

8. Has the Board confirmed that there were no changes made to voter information in its voter database? a. If not, what steps does the Board plan to take to look into this matter?

9. Given that this hack occurred on October 5, 2023, and DataNet Systems identified individuals affected on November 20, 2023, why did the Board and DataNet Systems wait until December 22, 2023 to notify affected voters and the public?

Read the letter here.