A researcher discovers an open database with the personal info of 191 million voters.
You were doing your civic duty. You registered to vote, gave your personal information, allowed your political affiliation to be recorded. But did you know it could end up in an open database, searchable by anyone from your boss to the head of ISIS?
The site called the database a “gold mine,” and said it included your name, address, date of birth, gender, party affiliation and more.
See a redacted example of how your data might have appeared here, from DataBreaches.net.
“Thankfully, there are no Social Security numbers, driver’s license numbers, or any financial information in this particular database, but full name, date of birth, and address and phone number with political party and other fields – are problematic enough when it comes to protecting our privacy and security,” DataBreaches.net said.
“Right now, thanks to someone’s carelessness, it’s free to anyone who can find what Vickery did,” said Forbes. “That means anyone in the world can find out where a person in the US lives and what political beliefs they may have. If they can find the database, scammers and marketing folk alike will likely benefit most.”
The database is no longer open, according to an update at DataBreaches.net.
“Leaky database”
Some news organizations reported this discovery as a “leak” of information. DataBreaches.net called it a “leaky database.” But some cybersecurity experts disagree.
“This is not a leak,” said Patrick Coyle with Chemical Facility Security News. “It is publicly available information that every political organization in the last 50 years (to my certain knowledge) routinely uses to call people for contributions and get-out-the-voter drives.”
“While at first blush the availability of a database of nationwide registered voter information seems like a serious breach, the truth is that this is a non-issue,” said an anonymous ex-CIA security expert.
“Registered voter data that includes all the information Mr. Vickery discovered can be purchased for a nominal fee from many states directly, and online from other sources,” he added. “The data that is the subject of this ‘breach’ would be considered publicly-available information, which would explain the apparent lack of interest cited from some authorities.”
Still concerned
The discovery of the database is still causing concern for some, including Vickery himself.
“I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?” he said in the article.
DataBreaches.net said it spoke with a police officer who does not have a publicly listed phone number or address for safety reasons. The site said it showed him the information in the database, and he responded, “Oh, man… I deal with criminals every day who know my name. The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable. I’m also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business.”
State laws
DataBreaches.net reported that most states make their voter registration information available and do not restrict its use, but some have different laws.
The site said South Dakota’s laws require the person who is requesting the voter registration info to sign this statement:
“…I understand that the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet.”
California and Hawaii also restrict use of voter registration information, according to the site.
“If you are a registered voter, we cannot offer you reassurance that your details have not been obtained and won’t be misused. We don’t know for how long this database has been left unsecured and how many people may have accessed and downloaded it,” DataBreaches.net said.
Whose database?
No one has taken responsibility for the open database, reported Forbes, and at last check, Vickery and DataBreaches.net had not found the owner of the site.
Reporters and researchers said they have contacted many political data companies in search of the responsible party. DataBreaches.net said the problem has been reported to multiple law enforcement agencies.
“The problem is, no one seems to care that this database is out there and no one wants to claim ownership,” reported CSO’s Salted Hash.
Cybersecurity experts say this is not uncommon.
“It is amazing how hard it is to find someone who is ‘accountable’ for an issue as important as this one,” said Stacy Bresler of Archer Security Group. “I would think, at this point, this is bigger than just placing blame – the database needs to be secured today!”
Bresler said this kind of problem exists in many corporations.
“No one is willing to stand up to take responsibility or work with others within their organization to just do the right thing,” he said. “For some reason, when a security vulnerability is discovered, it becomes a game of hot potato, when, more often than not, the issue could easily be fixed with a minimal amount of time and effort.”
“My advice: own the problem even if you don’t know for sure it is yours,” he added. “That gets the accountability politics out of the way quickly. Then you can focus on getting the job done.”
Valuable info
Political data companies acquire voter registration information from governments, aggregate them, and sell them to campaigns.
One of these companies, NationBuilder, says on its site that state and county government charges “range from a simple $5 processing fee to as high as the $29k fee charged by Alabama in 2012 for approximately 3 million voter registration records.”
A database similar to the one Vickery found could go for more than $250,000, according to DataBreaches.net.
“The sad thing about this news is that someone paid good money for this database and then posted it on-line for everyone to see,” said Coyle.
“What is really surprising is that the apparent seller of this material has not gotten on the phone to their customer to get this taken out of public availability,” Coyle said. “Now they won’t be able to sell the same list again for at least six months.”
The database was “misconfigured,” according to DataBreaches.net.
“This looks to be a simple case of sloppy work,” said Brandon Dunlap with Black & Veatch.
“It reminds me of a claim a colleague of mine made recently: too many people are approaching IT (and subsequently, security) as a vocation as opposed to a profession,” he said.
“What he meant by that was a reliance on semi-skilled labor and checklists as IT drives toward cost management. This puts downward pressure on the discipline as more and more people flood the market with questionable skill levels, leading to this sort of flagrant negligence,” explained Dunlap.