Sensitive Illinois Voter Data Exposed by Contractor's Unsecured Databases

Databases containing delicate elector accusation from aggregate counties successful Illinois were openly accessible connected the internet, revealing 4.6 cardinal records that included driver's licence numbers arsenic good arsenic afloat and partial Social Security Numbers and documents similar decease certificates. Longtime information researcher Jeremiah Fowler stumbled upon 1 of the databases that appeared to incorporate accusation from DeKalb County, Illinois and subsequently discovered different 12 exposed databases. None were password protected nor required immoderate benignant of authentication to access.

As transgression and state-backed hacking becomes ever much blase and aggressive, threats to captious infrastructure loom. But often, the biggest vulnerabilities travel not from esoteric bundle issues, but from gaping errors that permission the harmless doorway unfastened and the crown jewels exposed. After years of efforts to enactment up predetermination information crossed the United States, authorities and section consciousness astir cybersecurity issues has improved significantly. But arsenic this year's US predetermination rapidly approaches, the findings bespeak the world that determination are ever much oversights to catch.

“I’ve recovered elector databases successful the past, truthful I benignant of cognize if it's a low-level selling outreach database that idiosyncratic has purchased,” Fowler tells WIRED. “ But present I saw elector applications— determination were really scans of documents, and past screenshots of online applications. I saw elector rolls for progressive voters, absentee voters with email addresses, immoderate of them subject email addresses. And erstwhile I saw Social Security numbers and driver’s licence numbers and decease certificates I was like, ‘OK, those shouldn’t beryllium there.’”

Through nationalist records, Fowler determined that each of the counties look to declaration with an Illinois-based predetermination absorption work called Platinum Technology Resource, which provides elector registration bundle and different integer tools on with services similar ballot printing. Many counties successful Illinois usage Platinum Technology Resource arsenic an predetermination services provider, including DeKalb, which confirmed its narration with Platinum to WIRED.

Fowler reported the unprotected databases to Platinum connected July 18, but helium says helium didn't person a effect and the databases remained exposed. As Fowler dug deeper into nationalist records, helium realized that Platinum works with the Illinois-based managed services supplier Magenium, truthful helium sent a disclosure to this institution arsenic good connected July 19. Again, helium says helium did not person a response, but soon aft the databases were secured, pulling them from nationalist view. Platinum and Magenium did not instrumentality WIRED's aggregate requests for comment.

Platinum began distributing a notification, viewed by WIRED, to impacted counties connected Friday. “We person grounds of a assertion the record retention containing elector registration documents whitethorn person been scanned,” Platinum wrote, adding that the exposed databases bash not bespeak a deeper compromise of its systems. “There was a thorough probe executed. The findings enactment our ongoing content determination is nary grounds of elector registration forms being leaked oregon stolen. … We utilized this accidental to deploy caller and further safeguards astir elector registration documents.”

Illinois's data breach notification law requires notification to the authorities wrong 45 days of an incident. A modular mentation of a Champaign County declaration for exertion services posted publicly done a Freedom of Information Act petition requires a contractor to notify the impacted region wrong 15 minutes of identifying a information breach.

Fowler points retired that portion the exposed accusation would perchance marque impacted individuals much susceptible to individuality theft and different scams, it could besides beryllium abused to taxable aggregate absentee ballot requests oregon to behaviour different suspicious enactment that could telephone a voter's morganatic ballot into question and instrumentality clip to reconcile. But helium adds that the decease certificates and different documentation contained successful the trove reflects the enactment predetermination officials bash each implicit the state to negociate elector registrations and guarantee that everyone's ballot is accurately counted.

“There’s decidedly advancement connected basal information security, and I don’t spot worldly similar this precise often anymore,” Fowler says. “But I utilized the unfastened and nationalist net and nary specialized tools to find this. And astatine the extremity of the day, this is captious infrastructure that was exposed.”