Database Configuration Issues Expose Personal Data of 191 Million Voters

An independent security researcher stumbled upon the database and then worked with others to notify law enforcement.

An independent computer-security researcher exposed the fact that a misconfigured database containing the personal information of around 191 million voters was available on a public web server. The voter data, from all 50 U.S. states and Washington, D.C., is no longer available online, according to DataBreaches.net, but it is also unclear how many people accessed the information while it was available.

Security researcher Chris Vickery first brought the exposure to light. Vickery, a “white hat” hacker told Reuters he stumbled upon the misconfigured database while doing research in an effort to raise awareness of breaches. Both DataBreaches.net and CSO Online later independently verified the exposure uncovered by Vickery.

According to CSO Online, “The database contains a voter's full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores.”

Breach Exposes Personal Information

Vickery, described by Reuters as a tech support specialist from Austin, Texas, told the news service that he was able to download the entire database in about a day. It is rare to have so much voter data pulled together in a single database, according to Reuters, from which criminals could access the information. "The alarming part is that the information is so concentrated," Vickery told Reuters.

DataBreaches.net contacted the FBI’s Internet Crime Complaint Center, the FBI’s New York field office and the California Attorney General’s office, the website said. The FBI declined to comment, according to Reuters.

According to DataBreaches.net, California was contacted because it is one of the states that place restrictions on how voter data can be used. The report said: “When one of their attorneys asked, ‘Well how much data are we talking about?’ and I read her the list of data fields and told her that we had access to voter records of over 17 million California voters, her response was ‘Wow,’ and she promptly forwarded the matter to the head of their e-crime division.”

CSO Online reported that the voter data may have originally been stored in a database owned by NationBuilder, a software firm that works with political campaigns, since the exposed data included codes similar to those used by NationBuilder. Yet CSO Online says the blame lies not necessarily with NationBuilder but with those who “developed the database and poorly configured its hosting.”

In a statement, NationBuilder founder and CEO Jim Gilliam said, “While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns. From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”

Although that may be the case, according to Politico, data aggregators pay state and county governments for voter information, according to an unnamed executive at a rival software firm, who declined to speak on the record to Politico.

States Differ on Voter Data Laws

The kind of information exposed in the breach is generally considered to be private, Craig Spiezle, executive director of the Online Trust Alliance, told Politico. But the Politico report said that many states are unlikely to notify residents if voter registration data is exposed, because state notification laws tend to only cover exposure of financial and medical data.

That highlights the ways in which different state governments protect voter registration information. A spokesperson for the U.S. Federal Election Commission, which regulates campaign financing, told Reuters the agency does not have the authority to keep tabs on voter records; that task is left up to the states.

“All voter information, except for a few elements protected by law in some states, is public record. For example, in Ohio, voter records are posted online,” CSO Online reported.

As DataBreaches.net notes, “In California, information on voter registration cards is considered confidential, and subject to many restrictions to access and use. One of the restrictions is that the information may not be made available to persons outside the U.S. And in Hawaii, voter registration information may only be used for elections and by the government.”

Meanwhile, according to DataBreaches.net, in South Dakota, anyone requesting access to voter data must sign a statement that says the information "may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the Internet."

hermosawave/ThinkStock
Dec 29 2015