With the mid-term US elections only a few weeks away, a known dark web vendor has put up for sale previously undisclosed, current voter registration records for an estimated 35 million US voters hailing from 19 states.
He or she is selling the databases by state. Kansas’s voter database, a top pick in a crowdfunded campaign by members of the dark web forum to purchase the data, has already been sold and published.
The sale was first spotted by Anomali Labs researchers, who’ve been working with cybercrime intelligence provider Intel 471.
Anomali says that next up on the list is Oregon: as of Monday, the crowdfunding campaign to purchase and disseminate the 2018 Oregon voter registration list had met 20.7% of its funding goal. One of the crowdfunding campaigners claims that if they purchase the records they will publish them freely on the hacking forum, with campaign donors receiving early access to the data.
Anomali emphasized that the sale – although it involves valuable personally identifiable information (PII) that could be used for identity fraud, as well as voting records – doesn’t point to voting systems having been hacked.
Many people are surprised to hear that basic voter registration lists are generally considered public. But such information is actually made generally available to the public “for legitimate uses,” Anomali Labs said in its report. “Legitimate” use doesn’t include being sold or disseminated, though:
Generally speaking, voter lists are not permitted to be used for commercial purposes or allowed to be republished online. The discovery of 19 US state voter lists from 2018 on Deep and Dark Web forums and marketplaces illustrate the potential ease of unauthorized entities circumventing established state rules and procedures to obtain and profit from voter data. When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate.
This is far from the first breach of voter records that we’ve seen. Others include:
- US voter registration records of 191 million voters exposed online in December 2015.
- Another US voter data exposure, of more than 56 million records in January 2016. Some 19 million profiles exposed not only voter registration data but personal information such as Christian values, bible study, and gun ownership.
- A massive breach in 2016 of Mexico’s registration voter database: all 93.4 million of its voters.
- A 2016 breach of the Philippines’ Commission on Elections (Comelec) affecting about 55 million people.
- Exposure of the data on 50 million Turkish citizens in 2016.
- A database with 154 million US voter registration records that in 2016 was found to be leaking information on a dizzying array of intimate details, including gun ownership, Facebook profiles, address, age, position on gay marriage, ethnicity, email addresses and whether a voter is “pro-life.”
This latest exposure includes 23 million records for just three of the 19 states affected. No record counts were provided for the remaining 16 states, but the list does include prices for each state. Based on what’s been advertised, researchers have estimated that the entire number of registered voters affected by the disclosure could exceed 35 million records.
Anomali says that researchers have reviewed a sample of the database records and determined the data to be valid “with a high degree of confidence.”
The records purportedly contain voters’ full names, phone numbers, physical addresses, voting history, and other unspecified voting data. Depending on the state, and perhaps on how many records each database contain and/or how much trouble the vendor had to go through to get a particular database, sales prices range from $150 to $12,500 USD.
The vendor is promising to provide customers with regular database updates at the start of each week.
What leads Anomali/Intel 471 researchers to suspect that the current dark web voter data sales likely aren’t linked to a technical compromise is that the seller requires that for certain states, buyers have to physically show up in-state to buy the updated voter information. The Anomali researchers concluded
… that he or she may have persistent database access and/or contact with government officials from each state.
These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.