An Internet-facing voter database that contained over 191 million voter registration records for U.S. voters was...
discovered by security researcher Chris Vickery, according to a report posted on DataBreaches.net, and was openly accessible for over a week before being taken down.
"I believe this is every registered voter in the entire country. To be very clear, this was not a hack," Vickery wrote in a post on Reddit. "The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all."
The database records include full name, telephone number, home and mailing addresses, date of birth and voter information, including party affiliation and voting history since 2000.
While voter registration information is generally part of the public record, there are usually restrictions placed on how it may be acquired or used. For example, in South Dakota, those requesting voter registration data must sign this statement:
"In accordance with SDCL 12-4-41, I understand that the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the Internet."
While some states place no restrictions on the use of voter registration data, many require that the data only be used for political purposes, or state that it may not be made available to be accessed by users outside of the U.S. Many states also charge sometimes significant amounts for acquiring their voters' registration information. "Prices range from a simple $5 processing fee to as high as the $29k fee charged by Alabama in 2012 for approximately 3 million voter registration records," according to political data firm NationBuilder. They estimated the cost for all U.S. voter registration data to be over $100,000.
Based on "some data field labels that looked like they might be unique or proprietary," the database appears to have originated with NationBuilder, according to DataBreaches.net.
"While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns," NationBuilder founder and CEO Jim Gilliam said in a statement released after the disclosure. "From what we've seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database."
DataBreaches.net had some suggestions as to who was responsible. "Could it be one of their non-hosted clients leaking the database? Maybe. Could it be that someone hacked one of their clients and stored a copy of the database at this IP address? Maybe. Could it be that an employee of a client decided to make themselves a copy for their own purposes? Maybe. The possibilities are numerous. We really don't know, and DataBreaches.net declines to speculate."
Learn more about e-voting.
Find out how big data affected the 2012 U.S. presidential election.
Dig Deeper on Identity Theft and Data Security Breaches
Peter Loshin asks:
How severe is the risk caused by the publication of voter registration information?
3 ResponsesJoin the Discussion