In a recent incident, a cybersecurity researcher named Jeremiah Fowler made a startling discovery of 4.6 million Illinois voter records that were exposed in unsecured databases. This revelation sheds light on the significant vulnerabilities in the security of election data and the potential for misuse of sensitive information. Fowler’s investigation uncovered 13 misconfigured databases containing a vast number of documents, including voter records, ballots, and various election-related lists. The data breach was traced back to a single county in Illinois, where the information was easily accessible to the public without any password or security measures in place.
The exposure of US voter data is not a new phenomenon, as similar incidents have occurred in the past due to server misconfigurations. For instance, in December 2015, 191 million voter records were leaked, and in January 2016, millions of voter records were found circulating on the dark web. Fowler’s deep dive into the issue began when he stumbled upon a database containing sensitive documents such as voter registrations, ballot templates, and voting records. By extrapolating the database format to other counties, Fowler uncovered a total of 13 publicly accessible databases, along with 15 more that were not publicly accessible.
Fowler’s findings, shared with Hackread.com before publication on August 2, 2024, revealed that the counties mentioned in the exposed databases had contracts with Platinum Technology Resource, a company offering election-related services. Additionally, Magenium, a technology company based in Illinois, was responsible for providing technical support to Platinum Elections Services. After notifying both Platinum Technology Resource and Magenium about the exposed databases, access to the data was finally restricted. However, the duration of the exposure and whether any unauthorized access occurred remains unclear.
The exposed databases contained a wealth of sensitive information, including full names, addresses, email addresses, dates of birth, Social Security Numbers (full and partial), driver’s license numbers, and historical voting records. Furthermore, the databases housed copies of voter registration applications, death certificates, and records of changes in address or jurisdiction. Fowler stressed the importance of upholding public trust in the electoral process, especially following the contentious 2020 election, where the integrity of the process was called into question.
Although Fowler did not discover any evidence of malicious activity in the documents he reviewed, he underscored the significance of safeguarding election data from cyber threats that could result in document tampering or the misuse of voter information for fraudulent purposes. The ramifications of exposed personally identifiable information (PII) and sensitive data extend beyond the political realm, as criminals could exploit this data for identity theft, financial fraud, and targeted social engineering attacks.
To address these risks, Fowler recommended that organizations managing sensitive documents in multiple databases adopt unique formats and names that are not easily guessed. He also advised implementing access controls, encryption, and time-limited access tokens to ensure that only authorized users can access or view the documents. Fowler’s findings serve as a wake-up call to bolster cybersecurity practices and data protection measures, aiming to prevent breaches and uphold the integrity of critical information.