Florida was the joke of tech websites this week after a hacker boasted he tapped the “inside details of Florida voting systems.” Twice in a week, the anonymous Twitter user @Abhaxas posted links to lists of voting-related files.
“Who still believes voting isn’t rigged?” he wrote above one list. “If the United States government can’t even keep their ballot systems secure, why trust them at all? FAIL!”
Except he didn’t breach any voting systems, the Florida Division of Elections says. And a major Web vendor to most of the state’s elections supervisors, VR Systems, doesn’t use the same kind of servers accessed by the hacker.
“To my knowledge, we have had no instance of hacking on any of our services,” said Fred Schmidt, VR Systems’ manager of applications development.
So what did the hacker get?
Old training data, including manuals and sample ballots, from a server used by Liberty County in the Florida Panhandle. Logins and passwords that poll workers used to view training videos. And some data files from Lee County (Fort Myers) with names like “committees” and “elections_candidates.”
“It has nothing to do with vital information at all,” Marcia Wood, supervisor of elections for Liberty County, told the Miami Herald.
After the first breach, posted over the July 4 weekend, the Florida Division of Elections alerted county IT managers to review their security logs and watch for any unusual activity.
Hillsborough and Pinellas counties confirmed Friday they weren’t affected. And the breach itself didn’t reveal sensitive data, wrote Gisela Salas, director of the Florida Division of Elections.
“The data on the posted report is public information,” she said in an alert e-mail Tuesday.
But the news got picked up by major geek news clearinghouses such as Gizmodo and Slashdot, with a second one headlined, “Hacker Exposes Florida’s Voting Database — Again.”
A breach posted Thursday did look worse than the first. The file list showed the hacker got root access, usually the highest level of access.
“Glad you cleaned things up. Pretty secure now guys,” he taunted.
He didn’t mention it was a second local server — not a statewide system.
The Florida Voter Registration System wasn’t involved, said Chris Cate, spokesman for the Florida Department of State.
And there wasn’t anything in the files listed on the compromised servers — which he described as “standard public web hosting” — that would help a hacker gain access to more sensitive systems, he said.
Still, the gauntlet’s been thrown.
“I don’t have a political agenda. I just enjoy exposing insecure networks,” the hacker tweeted on Sunday.
He followed up a few days later with a tweet pointing to servers for VR Systems, which offers services to 62 of Florida’s counties: “It has a ‘hack me’ sign on it. Hack one, have access to all.”
“We’ve been monitoring it,” Schmidt said. “Security is something we take very seriously.”