* WIRED last month…
Databases containing sensitive voter information from multiple counties in Illinois were openly accessible on the internet, revealing 4.6 million records that included driver’s license numbers as well as full and partial Social Security Numbers and documents like death certificates. Longtime security researcher Jeremiah Fowler stumbled upon one of the databases that appeared to contain information from DeKalb County, Illinois, and subsequently discovered another 12 exposed databases. None were password protected nor required any type of authentication to access. […]
“I’ve found voter databases in the past, so I kind of know if it’s a low-level marketing outreach database that someone has purchased,” Fowler tells WIRED. “But here I saw voter applications— there were actually scans of documents, and then screenshots of online applications. I saw voter rolls for active voters, absentee voters with email addresses, some of them military email addresses. And when I saw Social Security numbers and driver’s license numbers and death certificates I was like, ‘OK, those shouldn’t be there.’”
Through public records, Fowler determined that all of the counties appear to contract with an Illinois-based election management service called Platinum Technology Resource, which provides voter registration software and other digital tools along with services like ballot printing. Many counties in Illinois use Platinum Technology Resource as an election services provider, including DeKalb, which confirmed its relationship with Platinum to WIRED.
Fowler reported the unprotected databases to Platinum on July 18, but he says he didn’t receive a response and the databases remained exposed. As Fowler dug deeper into public records, he realized that Platinum works with the Illinois-based managed services provider Magenium, so he sent a disclosure to this company as well on July 19. Again, he says he did not receive a response, but shortly after the databases were secured, pulling them from public view. Platinum and Magenium did not return WIRED’s multiple requests for comment.
* Capitol News Illinois today…
Fowler identified 15 unsecure databases before contacting several county clerks and eventually a technology vendor that is contracted to provide services for those counties.
Fowler told Capitol News Illinois that the list of counties affected include Alexander, Boone, Champaign, DeKalb, Effingham, Gallatin, Hamilton, Henry, Jefferson, Ogle, Pike, Sangamon, St. Clair, Williamson and Winnebago.
He traced the issue to Platinum Technology Resource, an elections technology company based in Batavia. It is unclear if anyone other than Fowler accessed the information, although Platinum has denied that any voter registration forms were “leaked or stolen.”
Capitol News Illinois contacted county clerks in all of the counties Fowler identified. All but one, Alexander County, responded and indicated they had been in communication with Platinum about the issue. One other county, Henry, denied that they were affected by the incident. […]
Platinum’s website indicates it currently contracts with 20 election authorities around Illinois. A Capitol News Illinois review of 12 of its contracts showed they had a cumulative value of more than $1.7 million of annual license fees ranging from about $4,500 to $58,000.
- Perrid - Tuesday, Sep 17, 24 @ 9:32 am:
The first time Rich posted this I think it only mentioned DeKalb and I thought I might not be affected, but apparently not. Sigh.
- hisgirlfriday - Tuesday, Sep 17, 24 @ 9:51 am:
Not the first time this company shows up in a screwup
https://www.bnd.com/news/politics-government/article68395487.html
- OutHereInTheMiddle - Tuesday, Sep 17, 24 @ 10:11 am:
And like every breach of personal information nothing will happen because there are no meaningful privacy laws in the US.
- Two Left Feet - Tuesday, Sep 17, 24 @ 10:31 am:
Regardless of your political affiliation, we could do so much more to secure our elections. Breaches like this reduce the public’s trust in the system. I’m just spitballing ideas, but consider using the services of Jeremiah Fowler and other white hats to perform regular security audits. Let’s not wait for evidence of breaches and wrongdoing, and spend more resources on prevention.
- Nearly Normal - Tuesday, Sep 17, 24 @ 10:39 am:
News like this does not help assure voters that the election process is secure. This just feeds into the conspiracy theories out there that the voting was and still can be rigged. Just what we don’t need with an upcoming presidential election that may be the closest in history. As an election judge, I have had voters who won’t use the electronic voting machines because they think they can be rigged. They want a paper ballot. Well, guess what? the paper ballot is fed into an electronic counter. I don’t tell them that but everything is taken to the County Clerk’s office and reran on their machines.
- H-W - Tuesday, Sep 17, 24 @ 10:54 am:
Thanks to Fowler. Good work.
Perhaps I am off-base, but I prefer news like this. It suggests a problem was found, and the problem was resolved. This is a common model for cyber-security experts: try to break into a system in order to find out if a system is broken. As a result, we know that those voter rolls are now secured.
Ironically, now that we have less reason to fear, I am certain some will use this new information to suggest (falsely) that we are now less secure.
- Candy Dogood - Tuesday, Sep 17, 24 @ 11:59 am:
These counties essentially paid a vendor who published these records on the website for anyone with any interest to access and retain.
Hopefully they’re adequately upset. This wasn’t a whoopsies.
- Suburban Mom - Tuesday, Sep 17, 24 @ 12:06 pm:
You should start with the assumption that all data will eventually be breached, and work from there. If you know that all your data, everywhere, would be breached, what societal and legal protections would you like to have in place? You can’t protect yourself; it has to be a systemic set of solutions.
- Give Us Barabbas - Tuesday, Sep 17, 24 @ 12:16 pm:
A data breach like this is a bell you can’t unring; your personal data was out there, and you can bet someone else besides the white hat hacker slurped that data up with automatic data scraper bots. Next stop the darkweb brokers. This company needs a very strong punishment in order to be a warning to the others.
- Two Left Feet - Tuesday, Sep 17, 24 @ 12:44 pm:
“Perhaps I am off-base, but I prefer news like this”
Preferred relative to what? I prefer a regularly scheduled audit by election authorities (including any third party providers) which includes compliance with laws including the handling of personal information. The audit would list deficiencies and the steps taken to correct. The audit is made public. Many other governmental entities do this. It does not make the public confident in the election process when a breach is publish in a national news source shortly before voting begins. Did Fowler reach out to the election authorities? Did the county clerks and third party providers notify the individual impacted by the breach?
- thisjustinagain - Tuesday, Sep 17, 24 @ 6:46 pm:
Why isn’t all this data encrypted, when I can encrypt on my lowly home machine??