Alaska: Voter Database Exposed Online | HackRead

IT security researchers at Kromtech Security Center discovered an unprotected database exposed online due to misconfiguration of CouchDB containing nearly 600,000 records belonging to Alaskan voters. “The exposed data is a larger voter file called Voterbase compiled by TargetSmart, a leader in national voting databases that contains the contact and voting information of more than 191 million voters and 58 million unregistered, voting age consumers,” said researchers. The database with 593,328 records was available to the public for anyone to download without any security or login credentials. Each record contained names, date of birth, addresses, voting preferences, marital status, income details, children’s age, gun ownership related data and points which might help decide what issue the voter might be appealed to. TargetSmart CEO Tom Bonier blamed a third-party firm for the incident and told ZDNetthat “We’ve learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed.”

Alaska: Yet another trove of sensitive US voter records has leaked | ZDNet

A cache of voter records on over a half-million Americans has been found online. The records, totaling 593,328 individual sets of records, appear to contain every registered voter in the state of Alaska, according to security researchers at the Kromtech Security Research Center, who found the database. The records were stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser — no password needed — until Monday when the data was secured and subsequently pulled offline. The exposed data is just a portion of a larger voter file compiled by TargetSmart, which said its national voter file — that contains 191 million voters — is the “most comprehensive and up-to-date voter file ever assembled.” The data is collected and used to help political campaigns with their fundraising, research, and voter contact programs, the company said. ZDNet was provided a small sample of the records for verification. Each XML-formatted record contained details, some sensitive and personally identifiable information, on prospective voters, including names, addresses, dates of birth, their ethnic identity, whether an individual is married, and the individual’s voting preferences.

National: Data breaches like Equifax could make it cheap, easy to alter voter registrations | Philadelphia Inquirer

How convenient for voters: Pennsylvania and New Jersey allow them to change registration information online, including address and party affiliation. How convenient for wannabe attackers, too: With more personal information available online, it could be cheap and easy to falsely submit thousands of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. A new study found that it would have cost as little as $1,934 last year to falsely submit online changes to 10 percent of registrations in Pennsylvania, a political battleground state that was pivotal to the 2016 presidential election. A similar attack on 10 percent of New Jersey voters’ registrations would have cost just $1,069, the researchers found. “It’s clear that impostors can definitely launch these attacks, and it’s not particularly expensive to launch these attacks against these websites,” said Latanya Sweeney, a government professor at Harvard University and one of the study’s authors.

National: Study points to potential vulnerability in online voter registration systems | Harvard Gazette

For as little as a few thousand dollars, online attackers can purchase enough personal information to perhaps alter voter registration information in as many as 35 states and the District of Columbia, according to a new Harvard study. Dubbed “voter identity theft” by study authors Latanya Sweeney, professor of government and technology in residence, research analyst Ji Su Yoo, and graduate student Jinyan Zang, the vulnerability could be exploited by internet attackers attempting to disenfranchise many voters where registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could learn enough to impersonate voters and change key information using the online registration systems. One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong locations. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted. The study is described in a Sept. 6 paper published in the Journal of Technology Science.

Illinois: State officials put off decision on Trump panels request for voter data | Chicago Tribune

The State Board of Elections put off a decision Tuesday on the latest request for Illinois voter information made by a panel formed by President Donald Trump to look into his claims of voting irregularities in last year’s presidential election. Instead, the board is sending a letter requesting more information about the purpose of the Presidential Advisory Commission on Election Integrity. Illinois officials also want to know whether any information provided truly could be kept confidential, as the federal panel pledged and as Illinois law requires. The privacy issue is a critical one for state election officials. In early July, the bipartisan elections board rejected an initial appeal for “publicly available” voter data by the federal panel because, under Illinois law, it had no such information available that could be publicly disclosed.

Illinois: Massive Chicago Voter Breach Underscores Importance of Cloud Security | eSecurity Planet

In a vivid reminder of the need to secure data in the cloud, researchers at UpGuard recently came across more than 1.8 million Chicago voters’ personal information exposed online in a misconfigured Amazon S3 bucket belonging to voting machine company Election Systems & Software (ES&S). The publicly downloadable data, which was discovered on August 11 by UpGuard director of strategy Jon Hendren, included voters’ names, birthdates, addresses, phone numbers, driver’s license numbers and the last four digits of Social Security numbers. The data was put together by ES&S for the Chicago Board of Election Commissioners prior to the 2016 election. Since Chicago only had 1.5 million active voters in November 2016, the data appears to cover all of Chicago’s voters, both active and inactive. This is part of a larger trend — other recent breaches linked to misconfigured Amazon servers have exposed 14 million Verizon customers’ data, more than 3 million WWE fan’s personal information, 4 million Dow Jones customers’ personal data, over 60,000 sensitive Pentagon files, and approximately 48,000 Indian citizens’ personal data.

Illinois: Election Systems & Software Exposes Backup of Chicago Voter Roll via AWS Bucket | Threatpost

Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access. The data was a backup stored in AWS by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Nebraska. Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from Amazon. Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.

Illinois: 1.8 million Chicago voter records exposed online | CNN

A voting machine company exposed 1.8 million Chicago voter records after misconfiguring a security setting on the server that stored them. Election Systems & Software (ES&S), the Nebraska-based voting software and election management company, confirmed the leak on Thursday. In a blog post, the company said the voter data leak contained names, addresses, birthdates, partial social security numbers and some driver’s license and state ID numbers stored in backup files on a server. Authorities alerted ES&S to the leak on Aug. 12, and the data was secured. A security researcher from UpGuard discovered the breach. The data did not contain any voting information, like the results of how someone voted. Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone’s voting ballots, which are handled by a different vendor. “We deeply regret this,” Allen said. “It was a violation of our information security protocol by the vendor.”

Illinois: Info on 1.8M Chicago voters was publicly accessible, now removed from cloud service: election officials | Chicago Tribune

A file containing the names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was published online and publicly accessible for an unknown period of time, the Chicago Board of Election Commissioners said Thursday. The acknowledgment came days after a data security researcher alerted officials to the existence of the unsecured files. The researcher found the files while conducting a search of items uploaded to Amazon Web Services, a cloud system that allows users to rent storage space and share files with certain people or the general public. The files had been uploaded by Election Systems & Software, a contractor that helps maintain Chicago’s electronic poll books.

Illinois: Information about 1.8 million Chicago voters exposed on Amazon server | USA Today

Names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was left exposed and publicly available online on an Amazon cloud-computing server for an unknown period of time, the Chicago Board of Election Commissions said. The database file was discovered on Friday by a security researcher at Upguard, a company that evaluates cyber risk. The company alerted election officials in Chicago on Saturday and the file was taken down three hours later. The exposure was first made public on Thursday. The database was not overseen by the Chicago Board of Election but instead Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software.

Illinois: Don’t panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records | Associated Press

A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage. ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters’ names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers’ licenses and state ID numbers. “The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement on Thursday. “These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”

China: Privacy commissioner slams election office’s treatment of voter data following missing laptop incident | Hong Kong Free Press

The Privacy Commissioner has said the Registration and Electoral Office (REO) contravened privacy rules after it lost an election computer containing the personal information of all voters. It has demanded improvements. The commissioner’s office launched an investigation after two computers were lost from a backup polling station for the chief executive election in March. It was discovered a day after the election that the two machines had disappeared from a locked room, despite there being no sign of a break-in. One of the lost computers contained the names, addresses, and the identity card numbers – considered private information – of all 3.78 million Hong Kong voters. The data was stored in an encrypted format and did not include telephone numbers and voting records.

Philippines: Poll chief liable for ‘Comeleak’ | Inquirer

What a difference one month makes. In December, Commission on Elections (Comelec) Chair Andres Bautista basked in the glow of an agency that was hailed globally as the Electoral Commission of the Year for the successful May 9, 2016, polls. A month later, he was facing potential criminal prosecution over the March 2016 hacking of the Comelec website that has since been described as one of the worst breaches of a government-controlled database. The National Privacy Commission said on Thursday that Bautista had committed “gross negligence” under the Data Privacy Act of 2012, or Republic Act No. 10173. This came to light following an investigation of a “data breach” from March 20 to 27 last year. The breach exposed almost 77 million voter registration records. Sensitive information, such as voters’ full names, addresses, passport details and birthdays were posted on online platforms and a website that has since been taken down. So notorious was the event that it even has its own name: Comeleak.

National: Hackers have attempted more intrusions into voter databases, FBI director says | The Washington Post

Hackers have attempted more intrusions into voter registration databases since those reported this summer, the FBI director said Wednesday, and federal officials are urging state authorities to gird their systems against possible other attacks. Testifying before the House Judiciary Committee, FBI Director James B. Comey said that the bureau had detected scanning activities — essentially hackers scoping out a potential attack — as well as some actual attempted intrusions into voter registration databases. He said those attempts were beyond what had been made public in July and August, likely referring to hacking efforts in Illinois and Arizona, though he offered no other specifics. “We are urging the states just to make sure that their deadbolts are thrown and their locks are on, and to get the best information they can from” the Department of Homeland Security, he said.

Washington: Update to Online Search Tool Exposed Voter Info | Government Technology

Some personal voter information could have been gleaned from Washington’s online search tool for several months because of a problem with an update of the system, state elections officials said Friday. That problem was fixed shortly after it was pointed out in a complaint to the state Office of Cyber Security by Tina Podlodowski, the Democratic candidate for secretary of state. Podlodowski, who has criticized incumbent Republican Secretary of State Kim Wyman over voter data security, said Friday the problem was brought to her attention by “a couple of concerned citizens” and she confirmed it by checking her own registration information online.

Washington: Secretary of state learns of online data issue from opponent | KING5

A design flaw in Washington’s online voting tool, MyVote, exposed some voter information that should not have accessible. The secretary of state’s office says the glitch has since been fixed. But, in an election year twist, the Democratic candidate for secretary of state, Tina Podlodowski, alerted the state’s cyber security office to the problem. Podlodowski is challenging incumbent Secretary of State Kim Wyman, a Republican. Podlodowski says a concerned citizen brought the glitch to her attention, prompting her to send an email to Washington’s Chief Information Security Officer. According to the secretary of state’s office, the software issue allowed access to personal information including email address, and phone number, as well as some contact information for military voters. The information was not visible on screen, but could be read through computer coding.

National: Hacking the election is nearly impossible. But that’s not Russia’s goal. | The Hill

Elections authorities and cyber security experts say a concerted effort to alter the outcome of November’s elections through a cyber attack is nearly impossible, even after hackers gained access to voter registration databases in at least two states. But some of those same experts say hackers with ties to Russia aren’t aiming to change election results; instead, their goal is to create a perception that the results are in question, and to undermine confidence in American democracy. “Russian tampering with elections is not new. It’s only new to the U.S.,” said Chris Porter, who runs strategic intelligence for the cybersecurity firm FireEye Horizons. He pointed to Ukraine, Bulgaria, Romania and the Philippines, where Russian-backed hackers have gained access to electoral systems in recent years.
“It’s just enough create scandal,” Porter said. “That’s sufficient for Russian aims.” Last month, officials in Arizona and Illinois discovered their voter registration systems had been hacked, a leak that put thousands of voter registration records up for sale on the black market. In January, more than 17 million voter registration records from Washington, Delaware, Rhode Island and Ohio were stolen.

Washington: Challenger Podlodowski discovers open door into state’s voter database | Seattle Post Intelligencer

A yawning back-end pathway into the state’s voter registration database, through which private information could have been accessed, has been closed, thanks to the candidate challenging Secretary of State Kim Wyman. “Anyone with basic programming skills and knowledge about these weaknesses could conceivably (access) this data, look up and harvest private data from millions of Washingtonians,” Tina Podlodowski wrote Wednesday to the state’s chief information security officer (CISO). The information accessible via the back-end pathway included voters’ personal cell phone numbers, personal email addresses, ballot delivery types, and the coding used to message military and overseas voters.
Wyman’s office, without mentioning Podlodowski, put out a release Friday, saying: “The situation has been quickly rectified.” David Ammons, chief communications office for the secretary of state, later confirmed that the problem was first identified in a letter from Podlodowski.

Arkansas: Lawyer blasts voter-roll response | Arkansas Online

An attorney hired by the state Democratic Party told Secretary of State Mark Martin’s office that the latter’s explanations for withholding records about the statewide voter database were “farcical,” “disingenuous” and ultimately “unlawful” in a letter delivered Friday. The letter was written by David Mitchell of the Rose Law Firm. He was hired by the party to represent Chris Burks, general counsel for the party, who had submitted a Freedom of Information Act request to the secretary of state’s office on Aug. 3. Although Martin’s office responded with some documents, Burks said Friday’s letter was intended to point out there were still matters outstanding in the original Freedom of Information Act request. The Democrats sought information about flawed data that Martin’s office had entered into the statewide voter database used by county clerks. County clerks use the data to determine which voters are felons whose names should be struck from voter rolls, but the data included felons who had regained the right to vote and others who had never been convicted of a felony.

Cambodia: Cambodia Cranks Up Election Process Raising Fraud Concerns | RFA

As Cambodian officials rolled out a new voter registration system on Thursday, questions were raised about the nation’s ability to conduct free and fair elections. While Cambodian authorities announced a three-month registration process that will run from Sept. 1 to Nov. 29, the U.N. ambassador to Cambodia expressed concern that the country’s current political situation could poison the process. “The European Union has expressed concerns over certain actions of the authorities in implementing legal procedures against the opposition party’s officials, civil society’s representatives, and the National Election Commission (NEC) deputy general secretary,” said Ambassador George Edgar. “Cambodia’s authorities must ensure an atmosphere that all political parties and nongovernmental agencies are able to do their jobs without obstacles,” he added during a ceremony announcing the launch of the registration system.

Cambodia: Computer System to Register Voters | Khmer Times

Cambodia’s new voter registration system will use a computer program to register eligible citizens who have a national identity card and are over the age of 18 before election day, according to a National Election Committee (NEC) technical officer at a media training event on Friday. Tob Rethy, head of the department of voter database management and NEC voter lists, explained the registration process and addressed reporters’ security concerns. “The names of villages, communes, districts, provinces, capitals and other important details are already included in the program, meaning program users are not allowed to write or add more villages or communes,” he said. “We will use a 3G service to send the data to the server at the NEC head office in Phnom Penh. In case data cannot be sent through the Internet, the user can store it on a flash card or SD card, then send the data file to the NEC commune office for forwarding to the capital,” he said.

Arkansas: Before flaws noted, Arkansas flagged 7,730 on voter list | Arkansas Online

Flawed data flagged 7,730 people in Arkansas to be removed from voter rolls, a spokesman for the secretary of state said Friday. That data have caused headaches for county clerks, who have been left to work out what’s accurate. Some on the list are felons who have not yet taken the steps to regain their right to vote and must be kept off voter rolls, but others on the list have not committed a felony or have already had their rights restored. Interviews with a handful of county clerks show that they are removing only a fraction of those people. In Pulaski County — where nearly 2,000 of those named on the state’s list reside — about 20 percent will be removed after staff members investigated each person, said Jason Kennedy, assistant chief deputy of the clerk’s office.

Arkansas: Old Felon Data Could Keep Voters From Casting Ballots | NWA

An error sent out to county clerks across Arkansas could keep some who are eligible to vote from casting a ballot this November because they’re believed to be felons. The Secretary of State’s office got a list of felons from the Arkansas Crime Information Center. In the past, the office has received that information from the Department of Corrections, but according to law, the SOS must go through ACIC. That’s what happened this year, but on this first go-around, there’s a major issue. Larry Crane, the Pulaski County Clerk, says with months to go before the general election it’s busy. “My office and all of the clerks are going to work our way through this the best we can,” said Crane.

National: Database Of All US Voters Available For Sale At $7,800 On The Dark Web | TechWorm

In recent times, all data breaches that are taking place are finding its way to the principal black market known as ‘Dark Web’. One can easily find any kind of data that they are looking for here. It is now learnt that a hacker is trying to sell a database that supposedly contains registration records for voters in all 50 US states, Tech Insider reported. A seller using the pseudonym of ‘DataDirect’ is offering US voters’ registration records on the dark net marketplace “The Real Deal.” The Real Deal, a popular site many cyber criminals use for buying and selling everything from illegal drugs to zero-day software exploits. The seller is offering US voters’ records for each state at 0.5 BTC (around USD 340). The seller is also ready to offer the records at a “bulk rate” of 12 Bitcoin, or about $7,800. “US voter registration records. Selling the DB on a State-by-State basis. 0.5 BTC per state (you must tell me which State you want. Some people think it’s unfair to make each State cost the same amount because some States are much bigger than others. I think it’s just easier this way.” states the item description.

Arkansas: Error flags voters on registration list; thousands in jeopardy of having their registration canceled | Arkansas Online

Flawed data sent out by the Arkansas secretary of state’s office in conjunction with the Arkansas Crime Information Center incorrectly flagged thousands of people to be removed from voter registration lists, meaning several Arkansas voters will have to prove their status before this year’s presidential election if the issue isn’t fixed. In many cases, that will result in undue burden to voters, some county clerks have said, even hinting at possible future lawsuits over the mess-up. The problem arose when the secretary of state’s elections division sought to update voter lists with new felon data to ensure that felons still in prison or on parole or probation aren’t allowed to vote, per state law. In the process of getting the data from the Arkansas Crime Information Center, known as ACIC, about 4,000 people who have never been convicted of a felony were included on the list and flagged by error. Some of them may have been notified by their county clerks’ offices that their voter registration has been canceled, even though it shouldn’t have been.

Illinois: Hackers penetrate Illinois voter registration database | The Southern

The Illinois State Board of Elections’ online voter registration system remained down Thursday afternoon in the wake of a cyberattack last week. The attack on the statewide Illinois Voter Registration System occurred July 12, and the system was shut off July 13 as a precaution once the board realized the severity of the attack, according to a message sent to local election authorities. Hackers exploited “a chink in the armor in one small data field in the online registration system,” said Ken Menzel, the board’s general counsel.

Editorials: Potential Arizona voter data hack gets whimper of an explanation | News-Herald

Arizona voters deserve to know if their personal information on file with the state of Arizona remains safe from identify thieves. If there is any threat to the security of the voter registration database, it deserves not only an investigation but full disclosure of the outcome. Right now, every voter in the state has legitimate reason to at least wonder if their personal information has been compromised. A couple of weeks ago, the FBI investigated a hacking threat against the state’s voter registration database and deemed the threat credible, labeling it an “8 out of 10” on the severity scale. The database contains not only names and addresses but also driver license numbers, partial Social Security numbers and other personal information that identity thieves can match with other partial personal information and commit fraud. As the investigation progressed, the state shut down its voter registration website.

Arizona: Investigators find no evidence of voter database hack; system back online | KPHO

After more than a week of forensic analysis, cybersecurity investigators found no signs of hacker infiltration into the state’s voter registration database and have brought the system back online, the Arizona Secretary of State’s Office announced. The system was taken offline for nine days after the FBI found a “credible and serious” threat to the database, which contains personal information about the more than 3 million registered voters in the state. The system was restored Thursday. “We have not found any evidence of malware or command and control software in the voter registration system and have restored its use,” Secretary of State Michele Reagan said in a statement.

California: All of California’s voters are now in one online database | Los Angeles Times

A single, instantly updated list of registered voters in California became reality on Monday, as two final counties plugged in to an electronic database mandated by a federal law enacted in the wake of the contentious 2000 presidential campaign. In other words, a database that was long overdue. “It’s been more than a decade in coming,” Secretary of State Alex Padilla said. The $98-million project allows elections officials in each of California’s 58 counties to easily track voters who move from one place to another and to quickly update their records in the event of a death or a voter deemed ineligible after conviction of a felony.

Florida: Secret-voter data bill, on shaky ground, is tabled a second time | Tampa Bay Times

Facing likely defeat, a Republican senator tabled his own bill Tuesday to make most public information on Florida voters secret. It was the second time that Sen. Thad Altman’s bill was pulled from consideration before a vote in the Senate Ethics & Elections Committee. Altman’s bill (SB 702), a priority of county election supervisors, would make all 12 million Florida voters’ home addresses, dates of birth, phone numbers and email addresses secret. The information has been public for decades, but supervisors say that because of the Internet, voters are shocked to find that the data is all over the web, making them potential targets of identity theft. The voter data is also used by Tom Alciere, a former New Hampshire legislator, who has for-profit websites that display states’ voter databases.