Last week, Department of Justice Deputy Attorney General Rod Rosenstein announced that a dozen Russians were indicted for hacking offenses tied to the 2016 presidential elections. In addition to the indictments, Rosenstein asserted that Russian intelligence officers stole information on approximately 500,000 voters from a hacked state election board website.
Illinois previously disclosed that it notified 76,000 residents that they may have had their voter registration data viewed by the attackers. And although the Illinois State Board of Elections is not specifically mentioned in Rosenstein’s speech nor in the grand jury indictment issued by the DOJ, the Illinois State Board of Elections believes the reference relates to it.
“As far as we know, we are the only state that experienced an actual breach, which is why we stated that we believe we are the ‘SBOE 1’ referred to in Count 11, paragraph 72 [of the indictment],” Matt Dietrich, public information officer for the Illinois State Board of Elections, told Government Technology.
Twenty-one states were hit with attempted election-related cyberattacks in 2016. But most of these attempts were unsuccessful, with states only getting scanned for potential vulnerabilities, according to 2017 transcripts from a Senate Intelligence Committee hearing.
“In the vast majority of those states targeted in 2016, only preparatory activity like scanning occurred, and in no case was the data actually changed or manipulated. None of the targeted systems were connected to the counting of votes,” a law enforcement representative told Government Technology.
According to a Washington Post report, a county elections official in Arizona had their login credentials stolen during the barrage of hacking attempts on state and local election offices and systems during the 2016 elections, but the remaining affected states were able to prevent a breach.
The DOJ figure of 500,000 voters affected versus Illinois’ figure of 76,000 comes down to the methodology used to count the potentially affected voters, according to Dietrich.
“We believe it probably has to with their citing ‘data related to’ voters under the U.S. Criminal Code whereas we notified individual voters based on criteria in the Illinois Personal Information Protection Act. If the hackers viewed only, say, a street number for a voter, we would not be required to do any notification. However, all pieces of data viewed in the hack would be considered data to be counted under the federal criminal code,” Dietrich explained. “We had to discern which voters had enough information viewed to warrant individual notification.”
Dietrich added that the state board of elections has no plans to issue any further 2016-related hacking notifications.