Open database exposes 191 million voter registration records

A mysterious voter database containing 191 million voter registration records found last week was online for over a week, with few clues as to who is responsible.

An Internet-facing voter database that contained over 191 million voter registration records for U.S. voters was...

discovered by security researcher Chris Vickery, according to a report posted on DataBreaches.net, and was openly accessible for over a week before being taken down.

"I believe this is every registered voter in the entire country. To be very clear, this was not a hack," Vickery wrote in a post on Reddit. "The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all."

The database records include full name, telephone number, home and mailing addresses, date of birth and voter information, including party affiliation and voting history since 2000.

While voter registration information is generally part of the public record, there are usually restrictions placed on how it may be acquired or used. For example, in South Dakota, those requesting voter registration data must sign this statement:

"In accordance with SDCL 12-4-41, I understand that the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the Internet."

While some states place no restrictions on the use of voter registration data, many require that the data only be used for political purposes, or state that it may not be made available to be accessed by users outside of the U.S. Many states also charge sometimes significant amounts for acquiring their voters' registration information. "Prices range from a simple $5 processing fee to as high as the $29k fee charged by Alabama in 2012 for approximately 3 million voter registration records," according to political data firm NationBuilder. They estimated the cost for all U.S. voter registration data to be over $100,000.

Based on "some data field labels that looked like they might be unique or proprietary," the database appears to have originated with NationBuilder, according to DataBreaches.net.

"While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns," NationBuilder founder and CEO Jim Gilliam said in a statement released after the disclosure. "From what we've seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database."

DataBreaches.net had some suggestions as to who was responsible. "Could it be one of their non-hosted clients leaking the database? Maybe. Could it be that someone hacked one of their clients and stored a copy of the database at this IP address? Maybe. Could it be that an employee of a client decided to make themselves a copy for their own purposes? Maybe. The possibilities are numerous. We really don't know, and DataBreaches.net declines to speculate."

Next Steps

Learn more about e-voting.

Find out how big data affected the 2012 U.S. presidential election.

Learn how microtargeting techniques might be applied with voter registration data.

Dig Deeper on Identity Theft and Data Security Breaches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How severe is the risk caused by the publication of voter registration information?
Cancel
No more severe than any of the countless other breaches. Let's face it - we are naked and exposed. Our most private information is being sold right now by States too dumb to realize what they have. Then it's sold over and over again and again, while we sit here discussing the problem.

There should be a law.... Oh wait, there is. Except the bad guys don't pay attention to that. And the good folk are too weak-willed to stop it.
Cancel
I suspect all who were meant to have a copy now have it.
All major political parties, as well as "sponsors" have long had nearly all this information (legally).
Possible state defined unavailable information (police, prosecutor, judge, public defender, address/phone, etc.) can often be gleamed from other sources.
The investor in U.S. elections no longer need be a voter or even an identifiable entity, at least according to our Constitution, as the Supreme Court has confirmed. 
State laws may have been violated, regarding disclosure & probably federal laws via RICO (in setting up the public access) & possibly interstate transmission stolen property. 
A forensic analysis could reveal the intent & possibly origin of the breach within days, though if well heeled, much longer, especially if NationBuilder continues to abstain. 
Cancel
Although people may be outraged about the existence of this comprehensive database, the fact remains that voter registration data is public information, and while the database was not properly secured it can't really be considered a breach.

I would personally prefer to see public information more accessible to the public, though it's worth reconsidering how much personal information should be public.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close