* From the McLean County Clerk’s Facebook page…
The State Board of Elections (SBE) fell victim to a cyberattack that was detected on July 12, 2016. Specifically, the target was the [Illinois Vital Records System] database. Once discovered, State Board of Elections closed the point of entry. On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration.
SBE’s Information Technology and Voting and Registration Systems staff immediately began researching the extent of the infiltration. Thus far, we have determined the following:
· The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application.
· The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.
· We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful.
· They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. (Because of the complex methods used to access the data, this may take 10-15 days.)
· In an effort to prevent an attack such as this from happening in the future, we have made a number of security enhancements to the IVRS and POVA systems.
· Once the system is brought back online, all IVRS user passwords will need to be changed at the first login (or by your vendor for system specific accounts). The new password must be a minimum of eight characters in length, one of which must be a non-alphanumeric character ($, *, # etc.).
Pursuant to the Personal Information Protection Act (815 ILCS530/), the Illinois General Assembly and the Office of the Attorney General have been notified of the incursion. Furthermore, once we have determined the number of voter records and the individuals whose information was collected, we are prepared to take the proper steps required to notify those persons.
A separate notification will be sent indicating when you and your staff may access IVRS. Thank you for your patience regarding this matter.
Kyle Thomas
Illinois State Board of Elections
Director-Voting and Registration Systems
* Dan Petrela…
The registration database is a frequent target of cyberattacks, [Ken Menzel, the Illinois State Board of Elections’ general counsel] said, but “this is the first time that we’re aware of that anybody’s gotten into anything — not for lack of trying .”
Menzel said the board is confident that no voter information in the database was altered and will follow the proper notification procedures if any personal information was compromised.
- Union Dues - Thursday, Jul 21, 16 @ 12:37 pm:
SQL injection is not an advanced techique at all and only possible if your web page is poorly written.
- Ghost - Thursday, Jul 21, 16 @ 12:39 pm:
Points to them for detecting this and their actions afterward. well done.
- Formerly Known as Frenchie M - Thursday, Jul 21, 16 @ 12:42 pm:
I’m sorry this happened — but there’s very little excuse these days to not prevent a SQL injection attack. They’ve been — for years — a primary attack vector for publicly accessible websites.
Another issue, though, and one that’s even more troubling — and something I don’t see in the post — is how the passwords were stored (encrypted? properly salted and then hashed?). They say the passwords need to be changed — and that’s good. But I hope — I hope — they’re stored properly.
- Bigtwich - Thursday, Jul 21, 16 @ 12:58 pm:
So, an early story today was about,
“Schneider complimenting Rauner’s campaign for helping get tons more data and info on IL voters”
Hum? s/
- illinois manufacturer - Thursday, Jul 21, 16 @ 1:05 pm:
Probably China but funny on Rauner. China has been hacking huge amounts of medical data.No one really knows why
- Skeptic - Thursday, Jul 21, 16 @ 1:19 pm:
*facepalm* You got breached by SQL Injection? Really?
- Jon - Thursday, Jul 21, 16 @ 1:32 pm:
Isn’t Vital Records, like birth certificates, etc., IDPH, not SBOE? Could it be Illinois Voter Registration System?
- Honeybear - Thursday, Jul 21, 16 @ 1:47 pm:
I don’t know what this all means but it sounds quite bad.
- PENSIONS ARE OFF LIMITS - Thursday, Jul 21, 16 @ 1:57 pm:
SQL injection is hacking 101. The superstars at the newly created division of IT definitely dropped the ball here. “Phony” superstars.
- Rhino - Thursday, Jul 21, 16 @ 3:42 pm:
The registration database is not private but is supposed to be available to anyone at any time. The key question is whether data was or could have been altered. If not, no harm, no foul.
- Arthur Andersen - Thursday, Jul 21, 16 @ 4:38 pm:
All snark aside, they need a guy like John Bambenek right now.
- Downstate Libertarian - Thursday, Jul 21, 16 @ 6:15 pm:
Not happy to see this. As other said, it is not an advanced attack. Not happy to see the password standards that are in place. Considering the “sophistication” of the attack, the point raised by Formerly… is a definite concern. Would not be surprised that any encryption not be up to current standards and salting is probably out of the question.
- PENSIONS ARE OFF LIMITS - Thursday, Jul 21, 16 @ 9:33 pm:
These rookies need to figure out what information was obtained. I’m not going to tell them what constitutes a breach. I ain’t no superstar. Hint: PIPA
- PENSIONS ARE OFF LIMITS - Thursday, Jul 21, 16 @ 9:38 pm:
Rhino
There is personal information in the database that is not publicly available. SQL injection gets that information from a poorly hosted website. Don’t argue for people who messed up. Ever.
- OneMan - Monday, Jul 25, 16 @ 3:23 pm:
Guess they should be thankful Little Bobby Tables isn’t of voting age yet.
https://xkcd.com/327/
Others have said it, but SQL injection is not a sophisticated attack.
Is the IVRS more than just voter data?