When 650 thousand Tennesseans voted in the Memphis area, they probably didn’t expect their personal information would eventually be picked apart at a hacker conference at Caesars Palace Las Vegas. … When US government workers decommission old voting equipment and auction them off to the public, they’re supposed to wipe voter information from the device’s memory. But hackers given access to an ExpressPoll-5000 electronic poll book—the kind of device used to check in voters on Election Day—have discovered the personal records of 654,517 people who voted in Shelby Country, Tennessee. It’s unclear how much of the personal information wasn’t yet public. Some of the records, viewed by Gizmodo at the Voting Village, a collection of real, used voting machines that anyone could tinker with at the DEF CON hacker conference in Las Vegas, include not just name, address, and birthday, but also political party, whether they voted absentee, and whether they were asked to provide identification.
Election Systems and Software (ES&S), which makes the ExpressPoll-5000, is one of the most popular e-poll book manufacturers in the country, said Barbara Simons, who sits on the board of Verified Voting, a nonpartisan research group that advocates for voting-machine security. There’s no formal auditing process for how many of the machines are properly wiped, and thus no way to estimate how many machines have been sold that inadvertently contain voter records.
But the fact that only a handful of such machines were made available at DEF CON and one of them had personal records that were so easily available doesn’t inspire confidence, said Matt Blaze, a renowned security researcher who has authored several studies on voting machine security and who helped organize the village.
“How many other of these machines that also have data left on them have been sold to who knows who? There’s no way of knowing,” Blaze told Gizmodo.