In a vivid reminder of the need to secure data in the cloud, researchers at UpGuard recently came across more than 1.8 million Chicago voters’ personal information exposed online in a misconfigured Amazon S3 bucket belonging to voting machine company Election Systems & Software (ES&S). The publicly downloadable data, which was discovered on August 11 by UpGuard director of strategy Jon Hendren, included voters’ names, birthdates, addresses, phone numbers, driver’s license numbers and the last four digits of Social Security numbers. The data was put together by ES&S for the Chicago Board of Election Commissioners prior to the 2016 election. Since Chicago only had 1.5 million active voters in November 2016, the data appears to cover all of Chicago’s voters, both active and inactive. This is part of a larger trend — other recent breaches linked to misconfigured Amazon servers have exposed 14 million Verizon customers’ data, more than 3 million WWE fan’s personal information, 4 million Dow Jones customers’ personal data, over 60,000 sensitive Pentagon files, and approximately 48,000 Indian citizens’ personal data.
“In the case of this breach, as well as others, this data was only exposed because the Amazon S3 bucket in question was configured to allow public access, permitting anyone accessing the repository’s URL to download its content,” UpGuard cyber resilience analyst Dan O’Sullivan noted in a blog post.
“AWS default settings are built to ensure that only authorized employees are able to access this data,” O’Sullivan added. “Should this access configuration be changed, the IT enterprise in question must have processes in place to ensure such exposures are caught and remediated.”
In a statement, ES&S said the data was secured the day after it was discovered, soon after UpGuard notified state and local officials. “ES&S also launched a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server,” the company added.