More Sensitive US Voter Records Leaked

Uploaded on 2017-10-12 in NEWS-Cybersecurity News, GOVERNMENT-Local, FREE TO VIEW

A cache of voter records on over a half-million Americans has been found online. The records, totaling 593,328 individual sets of records, appear to contain every registered voter in the state of Alaska, according to security researchers at the Kromtech Security Research Center, who found the database.

The records were stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser, no password needed, until Monday 11th September, when the data was secured and subsequently pulled offline.

The exposed data is just a portion of a larger voter file compiled by TargetSmart, which said its national voter file, that contains 191 million voters, is the "most comprehensive and up-to-date voter file ever assembled."

The data is collected and used to help political campaigns with their fundraising, research, and voter contact programs, the company said.

ZDNet was provided a small sample of the records for verification.

Each XML-formatted record contained details, some sensitive and personally identifiable information, on prospective voters, including names, addresses, dates of birth, their ethnic identity, whether an individual is married, and the individual's voting preferences.

But the data also contained highly personal information, such as household income, the age ranges of an individual's children, and if an individual is a homeowner.

The records, some are more complete than others, also have fields for the types of issues that an individual can be lobbied on, such as climate change, gun control, and tax reforms.

When reached, TargetSmart said that a third-party company was to blame for the data exposure.

"We've learned that Equals3, an artificial intelligence software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart, and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed," said Tom Bonier, Targetsmart chief executive.

Bonier said the data was not accessed by anyone other than the security researchers at TargetSmart and the team that identified the exposure.

"None of the exposed TargetSmart data included any personally identifiable, non-public financial data," he said.

"To be clear, TargetSmart's database and systems are secure and have not been breached. TargetSmart imposes strict contractual obligations on its clients regarding how TargetSmart data must be stored and secured, and takes these obligations seriously," Bonier added.

Equals3 chief executive Dan Mallin confirmed it had "experienced an intrusion of a sample data set on one of our development servers." He said that the server wasn't in use by any of the company's clients and was shut down.

"This was an isolated intrusion, stemming from a white hat group who was searching for a known vulnerability in CouchDB," referring to Kromtech security researchers.

"We have diligently conducted a forensic audit confirming the data set was not downloaded," he said.

This is the second known data exposure of voter records this year.

The first, and largest ever to date, saw 198 million records on individuals from every state exposed. Deep Root Analytics, a data company working for the Republican party, took responsibility for the exposure.

Kromtech has in recent years discovered and reported on several US voter databases online, totaling 18 million voters, as well as the state of Louisiana's entire database of 2.9 million voters.

Kromtech's Alex Kernishniuk said the exposure was "yet another wake-up call" for companies and governments to audit their networks.

"There seems to be no end in sight for improperly secured data making its way onto the web, and with little or no accountability for proper storage and security measures, it is up to regulators to decide the best way to manage an aging electoral system that seems to be struggling to keep up with the digital age," he said.

ZD Net:

You Might Also Read: 

Hong Kong’s 3.7 Million Voters Exposed in Massive Breach:

Russia's US Election Hacks More Persistent Than First Thought:

 

« In Demand: New Tech Against Drone Attacks
Wanted: A New Microchip For The AI Era »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CloudDNA

CloudDNA

CloudDNA deliver solutions that enable users and devices to connect over high performance, secure, efficient, scalable cloud networks.

Axis Capital

Axis Capital

AXIS Insurance’s Professional Lines Division is a leading underwriter of technology/cyber coverage and other specialty products around the globe.

Cyber 2.0

Cyber 2.0

Cyber 2.0 is the only system in the world that blocks all forms of cyber attack within the organization, including new and unfamiliar attack methods.

IoT Defense

IoT Defense

IoT Defense (IOTD) is a cybersecurity and networking company building solutions that enable the protection of networks and the ever-increasing prevalence of IoT devices.

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Tapestry Technologies

Tapestry Technologies

Tapestry Technologies supports the Department of Defense in shaping its approach to cybersecurity.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

Bionic

Bionic

Bionic is an agentless way to get control over your increasingly complex applications so you can manage, operate, and secure them faster and more efficiently.

Trisul Network Analytics

Trisul Network Analytics

Trisul helps organizations deploy full spectrum deep network monitoring which can serve as a single source of truth for performance monitoring, security analytics, threat detection and compliance.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

ZainTech

ZainTech

Zaintech is a regional digital & ICT solutions provider offering comprehensive digital solutions and services to enterprise and government customers in the MENA region.

Star Lab

Star Lab

Star Lab specializes in the development and productization of embedded security technologies.

Viatel Technology Group

Viatel Technology Group

Viatel Technology Group is a complete digital services provider. We have over 26 years’ experience delivering fully managed security, networking, cloud and communications services.