News

Actions

1.8 million Chicago voter records exposed online

Posted at 8:15 PM, Aug 17, 2017
and last updated 2017-08-17 20:15:51-04

A voting machine company exposed 1.8 million Chicago voter records after misconfiguring a security setting on the server that stored them.

Election Systems & Software (ES&S), the Nebraska-based voting software and election management company, confirmed the leak on Thursday.

In a blog post, the company said the voter data leak contained names, addresses, birthdates, partial social security numbers and some driver’s license and state ID numbers stored in backup files on a server. Authorities alerted ES&S to the leak on Aug. 12, and the data was secured.

A security researcher from UpGuard discovered the breach.

The data did not contain any voting information, like the results of how someone voted.

Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone’s voting ballots, which are handled by a different vendor.

“We deeply regret this,” Allen said. “It was a violation of our information security protocol by the vendor.”

Forensic experts are investigating the ES&S leak. A spokesperson for ES&S said in a statement the firm has no indication that the information had been previously accessed by people other than the researchers who discovered it.

UpGuard security researcher Jon Hendren found the cache of data exposed on an Amazon Web Services server Friday night. He handed it off to analyst Chris Vickery who downloaded the information to examine the content. Vickery shared his findings with local and Illinois state authorities Saturday morning.

Amazon buckets — where data is stored — are private by default. This means someone at ES&S misconfigured a security setting and exposed the data online.

“This data would be an identity thief’s dream to find,” Vickery told CNN Tech. He also said the leaked files contained some voting system administration credentials.

Researchers at UpGuard are responsible for discovering a number of major data leaks from publicly available databases online, including millions of people’s information from a GOP analytics company and Verizon. It also recently discovered critical infrastructure data exposed by a Texas energy firm.

Data breaches like this happen far more frequently than the public might realize.

Vickery said when he devotes one day to looking for exposed servers, he finds dozens of data breaches. Some are not as big as schematics on energy companies or millions of partial social security numbers, but he said it’s something companies need to be much more aware of.

“It’s really kind of an epidemic that people don’t have any idea about,” Vickery said. “System administrators leaving things open and exposed to the public internet is like a cancer on security.”