A database with 154 million US voter registration records has been leaking information on a dizzying array of intimate details, including gun ownership, Facebook profiles, address, age, position on gay marriage, ethnicity, email addresses and whether a voter is “pro-life.”
MacKeeper security researcher Chris Vickery found the instance of a CouchDB database wide open, configured as it was for public access with no username, password, or other authentication required.
As Vickery said in a post, he tracked down and notified the company that was the source of the database. It was shut down within 3 hours.
On Tuesday, Vickery reached out to the company – a data brokerage firm named L2 – to report his theory: that one of its clients had purchased data from L2 and was hosting it in an insecure manner.
L2 said that yes, that was the case. He and L2 CEO Bruce Willsie tracked down the client, and the database was taken offline within 3 hours.
In a statement he sent to Vickery, Willsie said that the situation was even worse than what Vickery’s screenshot showed. In fact, the national file of voter records that Vickery had captured – beyond things such as party affiliation, religion and income – had far more fields and far more personal details on individuals:
This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields.
According to Willsie, L2’s client claimed that they’d been hacked, that the firewall had been taken down, and that’s when the probing began. The client was doing its own research to determine the extent of the incursion, he said, and will get back to L2 with its findings and their plan for hardening the system.
This is far from the first breach of voter records, which many people are surprised to hear are generally considered public. We’ve seen…
- US voter registration records of 191 million voters exposed online in December.
- Another US voter data exposure, of more than 56 million records. Some 19 million profiles exposed not only voter registration data but personal information such as Christian values, bible study, and gun ownership.
- A massive breach of Mexico’s registration voter database: all 93.4 million of its voters.
- A breach of the Philippines’ Commission on Elections (Comelec) affecting about 55 million people.
- Exposure of the data on 50 million Turkish citizens.
CSO Salted Hash’s Steve Ragan is one of those — along with Vickery – who’ve inspected these databases.
He notes that the US voter databases found around Christmas 2015 contained a voter’s full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. As well, the database contains fields for voter prediction scores.
All of that, besides a few fields protected by some state laws, is public record. But in general, voter data is restricted to non-commercial purposes.
But once it’s available to anybody who knows how to find it online, we can kiss that notion of restricted use goodbye.
All those who’ve viewed the databases agree: tracking down who owns the databases is difficult. Ragan:
No one seems to care that [one of the earlier leaked databases} is out there and no one wants to claim ownership.
The fact that L2 acknowledged that the most recent dataset was its own, identified which client had leaked it, and managed to get it taken down in 3 hours, is actually an aberration.
Let’s hope it turns into a trend.
Mahhn
PII not encrypted at rest. People need to go to jail for neglect.
E Mockingbird (@Uncle_Zeno)
Seems like an argument against internet voting, wouldn’t you say? People too lazy to go to the polls can still vote by mail. All we need is a foreign government to vote for us.
Mahhn
you mean like the Chinese government giving millions to hilldog so she can outspend everyone else?
Bardi
So, does the fact that, under Citizen’s United, a government, using a citizen proxy, can give unlimited dollars to any candidate they wish, all secret, give you pause? At all? Can you pinpoint where GOP money comes from? At least you think you know where Hillary got her money. You cannot even start for the GOP.
R. Dale Barrow
How in the world would a database have any level of voting history – no say “detailed”? I thought the U.S. used secret ballots.
Paul Ducklin
I assumed that phrase referred to “a history of whether you showed up at the polling station or not,” rather than “what your actual choice was.”
John Griffith
I cannot wait for someone to decide On-line voting is an idea whos time has come .
Ian Beyer
Voter records are a matter of public record. They do not contain information about positions on issues. All they contain is address, basic demographics, a primary key, party affiliation, and which elections you’ve voted in recently. These records may have been ABOUT voters (most records are, after all), but they are not voter records, which are maintained by the individual states, not private organizations, and are available upon request (You wanna see a big CSV file dump? Order your state voter list. It’ll probably come on a DVD, as a CD won’t contain it).
Cliff
Exactly, US voter registration records are public information. Some states have the databases online in the deep web, so you probably would not find the db in a Google search. But that doesn’t mean the records won’t come up in Google. I know there is a database that must access the Connecticut records because I have searched it. In New York, you have to go to the Board of Elections and buy the records (I have seen them on a CD). The file contains name, DOB, date registered, date of last vote, address, political party affiliation. In theory there should be no way to see how the voter voted.
Mahhn
nice to know that they have 154 million gun ownership records so when hilldog goes to confiscate them all, they can do it overnight and avoid any deaths fyi there isn’t that many people in the US military and law enforcement combined. Even then, most if of them are pro gun LOL.
Lisa Vaas
Not all of the records that included the gun ownership field pertained to people who do in fact own guns. A subset of the 154m records included gun ownership details of both those recorded as having guns and those recorded as not owning guns. We don’t have details of the exact number of gun owners or non-gun owners.