A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage. ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters’ names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers’ licenses and state ID numbers. “The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement on Thursday. “These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”
According to ES&S, it was alerted at 5.37pm on August 12 when, as part of a larger project to seek out sensitive data insecurely hosted on AWS, Vickery notified the company it had left its voter records out in the open. The cloud system was taken down four hours later. The biz, which supplies voting machines and backend services to more than 40 US states, is investigating the cockup.
A spokesperson for UpGuard confirmed to The Register that the vulnerable service was an AWS S3 silo accidentally set up to be open to the public. Strangely, only Chicago’s data was exposed by a misconfiguration.