Maine voter registration system breached. Or not.

Filed Under: Data loss, Malware, Privacy

Reports surfaced on Wednesday that the US state of Maine - in the north-eastern tip of that country's Atlantic seaboard - might have suffered a breach in its voter registration system.

According to Maine's Bangor Daily News, a malware infection in a municipality might have given unlawful access to the state's voter records.

Maine voter registration requires you to provide your full name, date of birth, street and postal addresses, your previous address, your maiden name (if you have one) and some sort of recognised identifcation number. For most voters, this is likely to be a driver's licence number.

That's not an enormous amount of personally identifiable information (PII), but it's more than enough to be worthwhile to cybercrooks.

A few hours ago, however, the story was updated. The story now appears to be something of a storm-in-a-teacup, consisting of a single malware infected computer in the remote town of Millinocket, from which it seems no unauthorised access to the records system took place.

This issue highlights one of the thorny issues about regulations surrounding the mandatory disclosure of security breaches: the point at which a 'breach' becomes noteworthy.

As regular readers will know, I am generally and vigorously in favour of mandatory disclosure laws, especially in my home country of Australia, where companies are still pretty much at liberty to sweep even the most spectacular acts of security negligence under the carpet.

But there is a risk, if every possible instant at which even the tiniest amount of data might have escaped must be reported publicly, of what some observers call disclosure fatigue.

If the public is regularly flooded with reports of little import affecting few or no people, companies with a slovenly attitude to security might get away with the wheat of a large-scale breach report going unnoticed amongst the chaff of Yet Another Virus Found in a Country Town.

Nevertheless, having no mandatory disclosure regulations at all - especially in a developed and internet-happy economy such as Australia - seems unnecessarily lax.

Hats off, in this case, to the Maine authorities for open communication and a quick resolution.

A good result - and I have no doubt that security awareness will improve (if not by carrot, then by stick) in the immediate future in the Maine public service.

, , , , , ,

You might like

One Response to Maine voter registration system breached. Or not.

  1. Elle Woods ยท 1504 days ago

    Oh, for those blissful carefree days of youth when the punchline to the classic Bert & I "Millinocket" joke elicited much laughter from those familiar with Down East culture. For years it was repeated (accent mandatory) as a tag line in many contexts for those in on the joke.

    This sounds like it definitely could have been done for the lulz. If nothing else, they proved that these days: you can get there from ANYWHERE!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog