191 million US voter registration records leaked in giant mystery database
An independent security researcher has uncovered a publicly-available database containing the personal information of 191 million voters on the internet due to an incorrectly configured database. However, it is not clear who owns it.
Security researcher Chris Vickery, who shared his findings on DataBreaches.net, revealed that he found 300GB database of voter data, which includes names, home addresses, voter IDs, phone numbers, and birth dates, as well as political affiliations and and logs of whether they voted in primary or general elections. He told Forbes that he has the entire 300GB database in his possession, which has data that goes back to the year 2000 However, the database does not contain financial information or Social Security numbers.
Vickery, a tech support specialist from Austin, Texas, said he found the database while looking for information exposed on the Web in a bid to raise awareness of data leaks. He has since reached out to law enforcement, as well as the California attorney general’s office. The database was still online as of Monday.
“When one of their attorneys asked, ‘Well how much data are we talking about?’ and I read her the list of data fields and told her that we had access to voter records of over 17 million California voters, her response was ‘Wow,’ and she promptly forwarded the matter to the head of their e-crime division,” DataBreaches.net’s administrator wrote online.
‘I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result,’ Vickery told CSO Online.
“However, I have looked up several police officers in my city, and their data is indeed present. I’ve been working with journalists and authorities for over a week to get this database shut down or secured. No luck so far.”
After finding his own information in the voter database, Vickery told CSO that: “My immediate reaction was disbelief…. How could someone with 191 million such records be so careless?”
Steve Ragan, a security blogger at CSO, assisted in investigating the breach. He pointed out that none of the political database firms he identified that are connected with the database have claimed ownership of the IP address where the information is published.
He said that the leak is worse than a recent breach of voter data from Hillary Clinton’s campaign by a member of Bernie Sanders’ campaign, “because the data he discovered isn’t a client score – it’s a complete voter record for 191 million registered voters.”
“The problem is, no one seems to care that this database is out there and no one wants to claim ownership,” he said.
Vickery said he has not been able to find out who controls the database, but that he is working with U.S. federal authorities to identify the owner so they can remove it from public view. He refused to identify the agencies. On other hand, a representative with the Federal Bureau of Investigation (FBI) declined to comment.
A representative with the U.S. Federal Elections Commission, which regulates campaign financing, said the agency does not have jurisdiction over protecting voter records.
Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. For example, California requires that voter data be used for political purposes only and not be available to persons outside of the United States.
Privacy advocates said Vickery’s findings were troubling.
“Privacy regulations are required so a person’s political information can be kept private and safe,” said Jeff Chester, executive director of the Washington-based Center for Digital Democracy.
Companies often charge huge amount of money to sell voter data, and many states place restrictions on the use of voter information for commercial purposes. However, political campaigns are mainly exempt from many of the communications laws applying to businesses, and are under no obligation to protect their data.
“Our society has never had to confront the idea of all these records, all in one place, being available to anyone in the entire world for any purpose instantly,” Vickery said, according to Forbes. “That’s a hard pill to swallow. It crosses the line.”