191 Million US Voter Registration Records Leaked In Mystery Database

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/

A whitehat hacker has uncovered a database sitting on the Web containing
various pieces of personal information related to 191 million American
citizens registered to vote. On top of the concomitant problems of
disclosing such a significant leak to that many people, no one knows who is
actually responsible for the misconfiguration that left the data open to
anyone.

Researcher Chris Vickery, who this month found myriad databases left open
to all and sundry, told FORBES he has his hands on all 300GB of voter data,
which includes names, home addresses, phone numbers, dates of birth, party
affiliations, and logs of whether or not they had voted in primary or
general elections. The data appears to date back to 2000. It does not
contain financial data or social security numbers.

Vickery looked up his own information in the database table covering Texas
and confirmed it was all accurate. Reporters from CSO and DataBreaches.net
did the same. Vickery also looked up several police officers in his city
and confirmed the information was correct.

Finally, I gave Vickery my parents’ surname and home town in the United
States. He found them in the database in a matter of minutes. It would
appear every registered US voter is included in the leak.

But their various attempts to disclose the breach to the right party were
close to fruitless. DataBreaches.net and Vickery chased NationBuilder, a
service that sets up digital campaigns for political parties. They believed
certain markers in the database pointed to a NationBuilder-designed
database. A NationBuilder spokesperson told DataBreaches.net that the IP
address linked to the leaked database was not one of theirs, and the IP
address was not related to any of their hosted clients.

It could be that a non-hosted NationBuilder customer was responsible for
the misconfiguration. The provider’s CEO Jim Gilliam said “it is possible
that some of the information it contains may have come from data we make
available for free to campaigns”.

“From what we’ve seen, the voter information included is already publicly
available from each state government so no new or private information was
released in this database,” Gilliam added.

“We strongly believe in making voter information more accessible to
political campaigns and advocacy groups, so we provide cleaned versions of
that publicly accessible information to them for free.

“We do not provide access to anyone for non-political purposes or that
would violate any state’s laws. Each state has different restrictions, and
we make sure that each campaign understands those restrictions before
providing them with any data. It is vital that everyone running for office
knows who is registered to vote in their district.”

No one has taken responsibility for the leak. CSO contacted other political
tech groups – Catalist, Political Data, Aristotle, L2 Political, and NGP
VAN – and all denied the database belonged to them. The FBI New York field
office and Internet Crime Complaint Center were contacted by
DataBreaches.net and Vickery too.

The FBI declined to provide comment to FORBES. It recommended contacting
the Secret Service, which had not responded to requests.

That this kind of information is open to anyone might not alarm at first
glance. Much of the data is publicly available across states as campaigners
seek to home in on certain demographics. But some charge thousands of
dollars for the pleasure. Many also place restrictions on the use of the
information for commercial purposes.

Right now, thanks to someone’s carelessness, it’s free to anyone who can
find what Vickery did. That means anyone in the world can find out where a
person in the US lives and what political beliefs they may have. If they
can find the database, scammers and marketing folk alike will likely
benefit most.

“Our society has never had to confront the idea of all these records, all
in one place, being available to anyone in the entire world for any purpose
instantly,” Vickery added. “That’s a hard pill to swallow. It crosses the
line.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!