Data Breach , Data Loss

191 Million U.S. Voter Registration Records Exposed?

Unclear Who Is Responsible for Misconfigured Database
191 Million U.S. Voter Registration Records Exposed?

A security researcher claims he's found an Internet-connected "leaky database" that apparently is storing voter registration records for 191 million Americans. But after one week of working with others in an attempt to identify the owner of the exposed and insecure database and lock it down, no one has come forward to claim responsibility.

See Also: Vulnerability Management with Analytics and Intelligence

"I believe this is every registered voter in the entire country. To be very clear, this was not a hack," says the security researcher, Chris Vickery, in a Dec. 28 Reddit post. "The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all. Anyone with an Internet connection can grab all 300+ gigabytes."

Subsequently, however, he updated that post to note that the database had finally been taken down. "I'm happy to confirm that the database is now offline!" he says. "Thank you to whoever finally took if down!"

News of the exposed data was first reported by CSO as well as the blog DataBreaches.net, which reports that the information appears to be current as of March 2014.

Vickery says the leaked information includes first, middle and last names; home and mailing addresses; phone numbers; dates of birth; political party affiliation; and a record of whether or not individuals voted in primary or general elections, dating from 2000. "I looked myself up in the Texas table. It's accurate. It is not known whether or not 'high risk professionals' are included in this database," he says. "However, I have looked up several police officers in my city, and their data is indeed present. I've been working with journalists and authorities for over a week to get this database shut down or secured. No luck so far."

Databreaches.net reports that accurate information for a police officer - referred to as "Sam" to protect his privacy - is also in the database. That's a concern, because Sam doesn't have a publicly listed phone number or address to help protect both him and his family. "Oh man. ... I deal with criminals every day who know my name," he tells the blog. "The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable. I'm also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business."

Vickery couldn't be immediately reached for comment. But Vickery tells CSO that after finding his own information in the voter database: "My immediate reaction was disbelief. ... How could someone with 191 million such records be so careless?"

Databreaches.net, CSO and Vickery all report that after seven days of related queries to organizations that might be responsible for amassing and selling this type of voter information, they have been unable to identify the owner of the misconfigured database. They have also now alerted the California Attorney General's office, the FBI's New York field office and the Internet Crime Complaint Center - a multi-agency task force run by the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance about the exposed information.

The FBI declined to comment. Likewise, California Attorney General spokeswoman Kristin Ford tells Information Security Media Group: "I can't comment on a potential or ongoing investigation, or even confirm or deny an investigation, in order to protect the integrity of any investigation."

Vickery's research shows that if he can find this type of unsecured data on the Internet, then theoretically others could have already done the same.

Any leak of genuine voter registration information could lead to repercussions for the organization or individual that lost control of the data. Related state laws vary. But according to the NationBuilder community organizing system owned by CDNA Corp., the state of California mandates that its residents' voting information "may not be made available to persons outside of the U.S.," while South Dakota stipulates that its residents' voter registration information "may not be placed on [the] Internet for unrestricted access."

In a Dec. 28 statement, NationBuilder CEO Jim Gilliam denied reports that the database found by Vickery belonged to his firm. "While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns," he said. "From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database."

"Someone really screwed up their handling of this data," says Australian data security expert Troy Hunt, who runs "Have I Been Pwned?" - a free service that alerts people when their email addresses show up in public data dumps - in a blog post. "This is inexcusably poor management of a huge volume of sensitive data I hope that as the authorities get involved (and they will get involved), they manage to track down how such an horrendous oversight occurred."

Rolling Breach Alerts

Vickery, who's based in Austin, Texas, has described himself as an IT help desk employee by day and an amateur security researcher by night. He's been scanning the Internet for signs of insecure databases, then sharing those findings.

In September, for example, he found that Larkspur, Calif.-based Systema Software, which develops Web-based claims management software that's used in part for logging workers' injury claims, was insecurely storing information for at least 1.5 million people.

On Dec. 14, Vickery warned that by using the search engine Shodan - designed to find specific types of Internet-connected devices and configurations - he located a misconfigured MongoDB database containing 13 million sensitive customer records for a controversial application called MacKeeper. In response to those warnings, MacKeeper's developer, Kromtech Alliance, reported that it contacted Vickery and rectified the error he'd found "within hours of the discovery" (see MacKeeper: 13M Customers' Details Exposed).

Alliance Health: PHI Exposed

On Dec. 17, Vickery claimed he found a misconfigured database owned by Alliance Health in Salt Lake City, which helps those with chronic conditions to manage those conditions. The company says its 29 communities - covering conditions that range from asthma and diabetes to Crohn's disease and HIV - have more than 1.5 million members. And Vickery says that one of the files he found appeared to contain protected health information, with a total of 1.6 million records.

In a statement posted to the Alliance Health website, the company confirms that "a database containing Alliance Health customer records was misconfigured making it possible for some customer information to be accessible via the Internet using specialized data access tools." The company reports that after learning of the information exposure, it "immediately secured the database and began a thorough investigation," and that it plans to notify affected individuals and relevant government agencies once it understands the full extent of the breach.

On Dec. 19, Vickery claimed he found another unsecured MongoDB database containing information on 3.3 million fans of Hello Kitty and other characters owned by Japanese company Sanrio, including information on 186,000 minors. The information was contained in a database associated with the company's sanriotown.com online community. Sanrio reported that after conducting a digital forensic investigation of the apparently exposed database - as well as two other Internet-connected and likewise unsecured backup servers - it found that Vickery was the only outsider to have accessed the data.

But Hunt says that Vickery may soon find himself having to answer some pointed questions from authorities relating to his "research" activities in relation to the U.S. voter records. "Opening an unlocked door and stealing the contents behind it is still breaking and entering," Hunt says. "That may well lead to having to answer some very uncomfortable questions in the not-too-distant future."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network