Oops!… They did it again. For what seems like the billionth time, U.S. voter records have been exposed, this time targeting Alaska. A cache of voter records containing the personal information of nearly 600,000 voters in Alaska was inadvertently exposed online. The culprit? An unsecured CouchDB database. And just, you know, a giant oversight. The cause of the hack was discovered by researchers at the Kromtech Security Research Center, who determined that the database of about 593,000 voters (that’s every registered voter in the state of Alaska) was accidentally configured for public access. That means it was just out there, floating in the breeze without any sort of password protection or security wall, making it accessible to anyone who knew where to look. No logging in, no verification, nada.Full Article: Security Central: Glitch Leaves Alaskan Voters Out in the Cold, SEC Reveals Breach | Security content from The VAR Guy.
Some people who are in the U.S. legally but who are not citizens were mistakenly allowed to register to vote in Philadelphia because of a glitch in Pennsylvania’s electronic driver’s licensing system, a city election official said Wednesday. Al Schmidt, a Republican who sits on Philadelphia’s three-member election commission, said that since 2006 at least 168 noncitizens registered to vote in the city through the motor voter driver’s licensing system. In some cases, they voted, and some of them voted in more than one election, Schmidt said. Schmidt said he became aware of those people because they had contacted his office. Many more noncitizens could have mistakenly registered through the system in Philadelphia and elsewhere in Pennsylvania, he said.Full Article: Pennsylvania system glitch let non-citizens register to vote | National | lancasteronline.com.
IT security researchers at Kromtech Security Center discovered an unprotected database exposed online due to misconfiguration of CouchDB containing nearly 600,000 records belonging to Alaskan voters. “The exposed data is a larger voter file called Voterbase compiled by TargetSmart, a leader in national voting databases that contains the contact and voting information of more than 191 million voters and 58 million unregistered, voting age consumers,” said researchers. The database with 593,328 records was available to the public for anyone to download without any security or login credentials. Each record contained names, date of birth, addresses, voting preferences, marital status, income details, children’s age, gun ownership related data and points which might help decide what issue the voter might be appealed to. TargetSmart CEO Tom Bonier blamed a third-party firm for the incident and told ZDNetthat “We’ve learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed.”Full Article: Alaska Voter Database Exposed Online.
A cache of voter records on over a half-million Americans has been found online. The records, totaling 593,328 individual sets of records, appear to contain every registered voter in the state of Alaska, according to security researchers at the Kromtech Security Research Center, who found the database. The records were stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser — no password needed — until Monday when the data was secured and subsequently pulled offline. The exposed data is just a portion of a larger voter file compiled by TargetSmart, which said its national voter file — that contains 191 million voters — is the “most comprehensive and up-to-date voter file ever assembled.” The data is collected and used to help political campaigns with their fundraising, research, and voter contact programs, the company said. ZDNet was provided a small sample of the records for verification. Each XML-formatted record contained details, some sensitive and personally identifiable information, on prospective voters, including names, addresses, dates of birth, their ethnic identity, whether an individual is married, and the individual’s voting preferences.Full Article: Yet another trove of sensitive US voter records has leaked | ZDNet.
National: Data breaches like Equifax could make it cheap, easy to alter voter registrations | Philadelphia Inquirer
How convenient for voters: Pennsylvania and New Jersey allow them to change registration information online, including address and party affiliation. How convenient for wannabe attackers, too: With more personal information available online, it could be cheap and easy to falsely submit thousands of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. A new study found that it would have cost as little as $1,934 last year to falsely submit online changes to 10 percent of registrations in Pennsylvania, a political battleground state that was pivotal to the 2016 presidential election. A similar attack on 10 percent of New Jersey voters’ registrations would have cost just $1,069, the researchers found. “It’s clear that impostors can definitely launch these attacks, and it’s not particularly expensive to launch these attacks against these websites,” said Latanya Sweeney, a government professor at Harvard University and one of the study’s authors.Full Article: Data breaches like Equifax could make it cheap, easy to alter voter registrations.
National: Study points to potential vulnerability in online voter registration systems | Harvard Gazette
For as little as a few thousand dollars, online attackers can purchase enough personal information to perhaps alter voter registration information in as many as 35 states and the District of Columbia, according to a new Harvard study. Dubbed “voter identity theft” by study authors Latanya Sweeney, professor of government and technology in residence, research analyst Ji Su Yoo, and graduate student Jinyan Zang, the vulnerability could be exploited by internet attackers attempting to disenfranchise many voters where registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could learn enough to impersonate voters and change key information using the online registration systems. One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong locations. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted. The study is described in a Sept. 6 paper published in the Journal of Technology Science.Full Article: Study points to potential vulnerability in online voter registration systems | Harvard Gazette.
The State Board of Elections put off a decision Tuesday on the latest request for Illinois voter information made by a panel formed by President Donald Trump to look into his claims of voting irregularities in last year’s presidential election. Instead, the board is sending a letter requesting more information about the purpose of the Presidential Advisory Commission on Election Integrity. Illinois officials also want to know whether any information provided truly could be kept confidential, as the federal panel pledged and as Illinois law requires. The privacy issue is a critical one for state election officials. In early July, the bipartisan elections board rejected an initial appeal for “publicly available” voter data by the federal panel because, under Illinois law, it had no such information available that could be publicly disclosed.Full Article: State officials put off decision on Trump panels request for voter data - Chicago Tribune.
In a vivid reminder of the need to secure data in the cloud, researchers at UpGuard recently came across more than 1.8 million Chicago voters’ personal information exposed online in a misconfigured Amazon S3 bucket belonging to voting machine company Election Systems & Software (ES&S). The publicly downloadable data, which was discovered on August 11 by UpGuard director of strategy Jon Hendren, included voters’ names, birthdates, addresses, phone numbers, driver’s license numbers and the last four digits of Social Security numbers. The data was put together by ES&S for the Chicago Board of Election Commissioners prior to the 2016 election. Since Chicago only had 1.5 million active voters in November 2016, the data appears to cover all of Chicago’s voters, both active and inactive. This is part of a larger trend — other recent breaches linked to misconfigured Amazon servers have exposed 14 million Verizon customers’ data, more than 3 million WWE fan’s personal information, 4 million Dow Jones customers’ personal data, over 60,000 sensitive Pentagon files, and approximately 48,000 Indian citizens’ personal data.Full Article: Massive Chicago Voter Breach Underscores Importance of Cloud Security.
Illinois: Election Systems & Software Exposes Backup of Chicago Voter Roll via AWS Bucket | Threatpost
Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access. The data was a backup stored in AWS by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Nebraska. Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from Amazon. Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.Full Article: Vendor Exposes Backup of Chicago Voter Roll via AWS Bucket | Threatpost | The first stop for security news.
A voting machine company exposed 1.8 million Chicago voter records after misconfiguring a security setting on the server that stored them. Election Systems & Software (ES&S), the Nebraska-based voting software and election management company, confirmed the leak on Thursday. In a blog post, the company said the voter data leak contained names, addresses, birthdates, partial social security numbers and some driver’s license and state ID numbers stored in backup files on a server. Authorities alerted ES&S to the leak on Aug. 12, and the data was secured. A security researcher from UpGuard discovered the breach. The data did not contain any voting information, like the results of how someone voted. Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone’s voting ballots, which are handled by a different vendor. “We deeply regret this,” Allen said. “It was a violation of our information security protocol by the vendor.”Full Article: 1.8 million Chicago voter records exposed online.
Illinois: Info on 1.8M Chicago voters was publicly accessible, now removed from cloud service: election officials | Chicago Tribune
A file containing the names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was published online and publicly accessible for an unknown period of time, the Chicago Board of Election Commissioners said Thursday. The acknowledgment came days after a data security researcher alerted officials to the existence of the unsecured files. The researcher found the files while conducting a search of items uploaded to Amazon Web Services, a cloud system that allows users to rent storage space and share files with certain people or the general public. The files had been uploaded by Election Systems & Software, a contractor that helps maintain Chicago’s electronic poll books.Full Article: Info on 1.8M Chicago voters was publicly accessible, now removed from cloud service: election officials - Chicago Tribune.
Names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was left exposed and publicly available online on an Amazon cloud-computing server for an unknown period of time, the Chicago Board of Election Commissions said. The database file was discovered on Friday by a security researcher at Upguard, a company that evaluates cyber risk. The company alerted election officials in Chicago on Saturday and the file was taken down three hours later. The exposure was first made public on Thursday. The database was not overseen by the Chicago Board of Election but instead Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software.Full Article: Information about 1.8 million Chicago voters exposed on Amazon server.
Illinois: Don’t panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records | Associated Press
A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage. ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters’ names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers’ licenses and state ID numbers. “The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement on Thursday. “These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”Full Article: Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records • The Register.
China: Privacy commissioner slams election office’s treatment of voter data following missing laptop incident | Hong Kong Free Press
The Privacy Commissioner has said the Registration and Electoral Office (REO) contravened privacy rules after it lost an election computer containing the personal information of all voters. It has demanded improvements. The commissioner’s office launched an investigation after two computers were lost from a backup polling station for the chief executive election in March. It was discovered a day after the election that the two machines had disappeared from a locked room, despite there being no sign of a break-in. One of the lost computers contained the names, addresses, and the identity card numbers – considered private information – of all 3.78 million Hong Kong voters. The data was stored in an encrypted format and did not include telephone numbers and voting records.Full Article: Privacy commissioner slams election office's treatment of voter data following missing laptop incident | Hong Kong Free Press HKFP.
What a difference one month makes. In December, Commission on Elections (Comelec) Chair Andres Bautista basked in the glow of an agency that was hailed globally as the Electoral Commission of the Year for the successful May 9, 2016, polls. A month later, he was facing potential criminal prosecution over the March 2016 hacking of the Comelec website that has since been described as one of the worst breaches of a government-controlled database. The National Privacy Commission said on Thursday that Bautista had committed “gross negligence” under the Data Privacy Act of 2012, or Republic Act No. 10173. This came to light following an investigation of a “data breach” from March 20 to 27 last year. The breach exposed almost 77 million voter registration records. Sensitive information, such as voters’ full names, addresses, passport details and birthdays were posted on online platforms and a website that has since been taken down. So notorious was the event that it even has its own name: Comeleak.Full Article: Poll chief liable for ‘Comeleak’ | Inquirer News.
National: Hackers have attempted more intrusions into voter databases, FBI director says | The Washington Post
Hackers have attempted more intrusions into voter registration databases since those reported this summer, the FBI director said Wednesday, and federal officials are urging state authorities to gird their systems against possible other attacks. Testifying before the House Judiciary Committee, FBI Director James B. Comey said that the bureau had detected scanning activities — essentially hackers scoping out a potential attack — as well as some actual attempted intrusions into voter registration databases. He said those attempts were beyond what had been made public in July and August, likely referring to hacking efforts in Illinois and Arizona, though he offered no other specifics. “We are urging the states just to make sure that their deadbolts are thrown and their locks are on, and to get the best information they can from” the Department of Homeland Security, he said.Full Article: Hackers have attempted more intrusions into voter databases, FBI director says - The Washington Post.
Some personal voter information could have been gleaned from Washington’s online search tool for several months because of a problem with an update of the system, state elections officials said Friday. That problem was fixed shortly after it was pointed out in a complaint to the state Office of Cyber Security by Tina Podlodowski, the Democratic candidate for secretary of state. Podlodowski, who has criticized incumbent Republican Secretary of State Kim Wyman over voter data security, said Friday the problem was brought to her attention by “a couple of concerned citizens” and she confirmed it by checking her own registration information online.Full Article: Update to Washington's Online Search Tool Exposed Voter Info.
A design flaw in Washington’s online voting tool, MyVote, exposed some voter information that should not have accessible. The secretary of state’s office says the glitch has since been fixed. But, in an election year twist, the Democratic candidate for secretary of state, Tina Podlodowski, alerted the state’s cyber security office to the problem. Podlodowski is challenging incumbent Secretary of State Kim Wyman, a Republican. Podlodowski says a concerned citizen brought the glitch to her attention, prompting her to send an email to Washington’s Chief Information Security Officer. According to the secretary of state’s office, the software issue allowed access to personal information including email address, and phone number, as well as some contact information for military voters. The information was not visible on screen, but could be read through computer coding.Full Article: Secretary of state learns of online data issue from opponent | KING5.com.
Elections authorities and cyber security experts say a concerted effort to alter the outcome of November’s elections through a cyber attack is nearly impossible, even after hackers gained access to voter registration databases in at least two states. But some of those same experts say hackers with ties to Russia aren’t aiming to change election results; instead, their goal is to create a perception that the results are in question, and to undermine confidence in American democracy. “Russian tampering with elections is not new. It’s only new to the U.S.,” said Chris Porter, who runs strategic intelligence for the cybersecurity firm FireEye Horizons. He pointed to Ukraine, Bulgaria, Romania and the Philippines, where Russian-backed hackers have gained access to electoral systems in recent years. “It’s just enough create scandal,” Porter said. “That’s sufficient for Russian aims.” Last month, officials in Arizona and Illinois discovered their voter registration systems had been hacked, a leak that put thousands of voter registration records up for sale on the black market. In January, more than 17 million voter registration records from Washington, Delaware, Rhode Island and Ohio were stolen.Full Article: Hacking the election is nearly impossible. But that's not Russia's goal. | TheHill.
Washington: Challenger Podlodowski discovers open door into state’s voter database | Seattle Post Intelligencer
A yawning back-end pathway into the state’s voter registration database, through which private information could have been accessed, has been closed, thanks to the candidate challenging Secretary of State Kim Wyman. “Anyone with basic programming skills and knowledge about these weaknesses could conceivably (access) this data, look up and harvest private data from millions of Washingtonians,” Tina Podlodowski wrote Wednesday to the state’s chief information security officer (CISO). The information accessible via the back-end pathway included voters’ personal cell phone numbers, personal email addresses, ballot delivery types, and the coding used to message military and overseas voters. Wyman’s office, without mentioning Podlodowski, put out a release Friday, saying: “The situation has been quickly rectified.” David Ammons, chief communications office for the secretary of state, later confirmed that the problem was first identified in a letter from Podlodowski.Full Article: Challenger Podlodowski discovers open door into state's voter database - seattlepi.com.