Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access. The data was a backup stored in AWS by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Nebraska. Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from Amazon. Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.
ES&S confirmed in a statement that the copy of the backup file, a .bak or Microsoft SQL backup file, contained 1.8 million names, addresses, dates of birth, partial Social Security numbers and in some cases, driver’s license and state identification numbers. Jon Hendren, director of strategy at UpGuard and the person who found the exposed data, said that the databases also included fields indicating whether a voter was active. About 1.5 million of the records belonged to active voters.
There were two folders in the AWS bucket, Hendren said, containing about a dozen backup files, about 12GB in all. Also in the folder was some information on ES&S security procedures that included the hashed email passwords of ES&S employees. While the personal information of voters exposes them to fraud via phishing and other scams, the employee data poses a serious threat in another direction.
“There’s no telling how far a nefarious actor could get if they’re willing to use those credentials,” said Chris Vickery, UpGuard director of cyber risk research who has found other similar leaks via Amazon buckets. “There’s no way to tell if they would be able to infiltrate ES&S networks or systems, but the potential is there.”