Personally identifiable information belonging to members of Congress and others has been published online following a data breach at DC Health Link, the District of Columbia’s health insurance exchange.

The breach first came to light on Wednesday when DC Health Link informed members of the House and Senate that hackers had gained access to their sensitive personal data. The form of attack was not disclosed and DC Health Link claimed it could not determine its size and scope.

However, how big the breach was didn’t take long to find out, as a hacker on Breach Forums claimed to have stolen 170,000 records. Going by the name of “IntelBroker,” the hacker said that the stolen data included Social Security numbers, dates of birth, email addresses and home addresses.

Although IntelBroker was banned from Breach Forums, another listing on the site that purports to be sharing the very same stolen data claims that there are fewer than 55,000 records. The listing (pictured) claims that those affected include not only members of Congress but also their staff and others. Of note, Breach Forums is not a dark web site that can be reached only with special software, but one that can be accessed through the regular internet.

Various outlets, including the Associated Press, have tested the listed data on Breach Forums and confirmed that it’s legitimate. One person listed in the database is said to have said, “Oh my god” when informed by AP that his name was in the database.

Given that it affects them directly, politicians are said to be not happy with the news that their personal data has been breached. House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries said in an email that the data breach posed a significant threat of identity theft, financial crimes and physical threats to members, staff and their families, which were already a concern.

“The sensitivity of data and the high-stakes pressure make any healthcare organization a high-value target for cybercriminals,” Darren James, senior product manager at password security software company Specops Software AB, told SiliconANGLE. “The fact that DC Health Link is handling PII for members of congress will raise awareness of the importance of reviewing cyber security policies for organizations, as well as suppliers.”

Eric O’Neill, national security strategist at cloud computing and virtualization technology company VMware Inc., commented that the valuable public official information stolen in the DC Health Link breach is a goldmine for espionage threat actors.

“The information may be used to create fake social media profiles or news articles that appear to be from legitimate sources,” O’Neill explained. “They can then use these profiles to spread false information or amplify existing rumors to sway public opinion. Both criminals and spies frequently use stolen personally identifiable information to conduct spear-phishing email attacks, using personal information to craft targeted emails that appear to be from a trusted source that leads to further breaches or theft of information.”

Image: Breach Forums