Maine voter registration system breached. Or not.


Reports surfaced on Wednesday that the US state of Maine – in the north-eastern tip of that country’s Atlantic seaboard – might have suffered a breach in its voter registration system.

According to Maine’s Bangor Daily News, a malware infection in a municipality might have given unlawful access to the state’s voter records.

Maine voter registration requires you to provide your full name, date of birth, street and postal addresses, your previous address, your maiden name (if you have one) and some sort of recognised identifcation number. For most voters, this is likely to be a driver’s licence number.

That’s not an enormous amount of personally identifiable information (PII), but it’s more than enough to be worthwhile to cybercrooks.

A few hours ago, however, the story was updated. The story now appears to be something of a storm-in-a-teacup, consisting of a single malware infected computer in the remote town of Millinocket, from which it seems no unauthorised access to the records system took place.

This issue highlights one of the thorny issues about regulations surrounding the mandatory disclosure of security breaches: the point at which a ‘breach’ becomes noteworthy.

As regular readers will know, I am generally and vigorously in favour of mandatory disclosure laws, especially in my home country of Australia, where companies are still pretty much at liberty to sweep even the most spectacular acts of security negligence under the carpet.

But there is a risk, if every possible instant at which even the tiniest amount of data might have escaped must be reported publicly, of what some observers call disclosure fatigue.

If the public is regularly flooded with reports of little import affecting few or no people, companies with a slovenly attitude to security might get away with the wheat of a large-scale breach report going unnoticed amongst the chaff of Yet Another Virus Found in a Country Town.

Nevertheless, having no mandatory disclosure regulations at all – especially in a developed and internet-happy economy such as Australia – seems unnecessarily lax.

Hats off, in this case, to the Maine authorities for open communication and a quick resolution.

A good result – and I have no doubt that security awareness will improve (if not by carrot, then by stick) in the immediate future in the Maine public service.