A database with 154 million US voter registration records has been leaking information on a dizzying array of intimate details, including gun ownership, Facebook profiles, address, age, position on gay marriage, ethnicity, email addresses and whether a voter is “pro-life.”
MacKeeper security researcher Chris Vickery found the instance of a CouchDB database wide open, configured as it was for public access with no username, password, or other authentication required.
As Vickery said in a post, he tracked down and notified the company that was the source of the database. It was shut down within 3 hours.
On Tuesday, Vickery reached out to the company – a data brokerage firm named L2 – to report his theory: that one of its clients had purchased data from L2 and was hosting it in an insecure manner.
L2 said that yes, that was the case. He and L2 CEO Bruce Willsie tracked down the client, and the database was taken offline within 3 hours.
In a statement he sent to Vickery, Willsie said that the situation was even worse than what Vickery’s screenshot showed. In fact, the national file of voter records that Vickery had captured – beyond things such as party affiliation, religion and income – had far more fields and far more personal details on individuals:
This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields.
According to Willsie, L2’s client claimed that they’d been hacked, that the firewall had been taken down, and that’s when the probing began. The client was doing its own research to determine the extent of the incursion, he said, and will get back to L2 with its findings and their plan for hardening the system.
This is far from the first breach of voter records, which many people are surprised to hear are generally considered public. We’ve seen…
- US voter registration records of 191 million voters exposed online in December.
- Another US voter data exposure, of more than 56 million records. Some 19 million profiles exposed not only voter registration data but personal information such as Christian values, bible study, and gun ownership.
- A massive breach of Mexico’s registration voter database: all 93.4 million of its voters.
- A breach of the Philippines’ Commission on Elections (Comelec) affecting about 55 million people.
- Exposure of the data on 50 million Turkish citizens.
CSO Salted Hash’s Steve Ragan is one of those — along with Vickery – who’ve inspected these databases.
He notes that the US voter databases found around Christmas 2015 contained a voter’s full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. As well, the database contains fields for voter prediction scores.
All of that, besides a few fields protected by some state laws, is public record. But in general, voter data is restricted to non-commercial purposes.
But once it’s available to anybody who knows how to find it online, we can kiss that notion of restricted use goodbye.
All those who’ve viewed the databases agree: tracking down who owns the databases is difficult. Ragan:
No one seems to care that [one of the earlier leaked databases} is out there and no one wants to claim ownership.
The fact that L2 acknowledged that the most recent dataset was its own, identified which client had leaked it, and managed to get it taken down in 3 hours, is actually an aberration.
Let’s hope it turns into a trend.