Capitol Fax.com - Your Illinois News Radar

Latest Post | Last 10 Posts | Archives

Previous Post: Get in front of it, already
Next Post: Unemployment rate down, but IDES still gloomy

“Foreign” hack attack on state voter registration site

Posted in:

• Illinois

* From the McLean County Clerk’s Facebook page…

The State Board of Elections (SBE) fell victim to a cyberattack that was detected on July 12, 2016. Specifically, the target was the [Illinois Vital Records System] database. Once discovered, State Board of Elections closed the point of entry. On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration.

SBE’s Information Technology and Voting and Registration Systems staff immediately began researching the extent of the infiltration. Thus far, we have determined the following:

· The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application.
· The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.
· We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful.
· They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. (Because of the complex methods used to access the data, this may take 10-15 days.)
· In an effort to prevent an attack such as this from happening in the future, we have made a number of security enhancements to the IVRS and POVA systems.
· Once the system is brought back online, all IVRS user passwords will need to be changed at the first login (or by your vendor for system specific accounts). The new password must be a minimum of eight characters in length, one of which must be a non-alphanumeric character ($, *, # etc.).

Pursuant to the Personal Information Protection Act (815 ILCS530/), the Illinois General Assembly and the Office of the Attorney General have been notified of the incursion. Furthermore, once we have determined the number of voter records and the individuals whose information was collected, we are prepared to take the proper steps required to notify those persons.

A separate notification will be sent indicating when you and your staff may access IVRS. Thank you for your patience regarding this matter.

Kyle Thomas
Illinois State Board of Elections
Director-Voting and Registration Systems

* Dan Petrela…

The registration database is a frequent target of cyberattacks, [Ken Menzel, the Illinois State Board of Elections’ general counsel] said, but “this is the first time that we’re aware of that anybody’s gotten into anything — not for lack of trying .”

Menzel said the board is confident that no voter information in the database was altered and will follow the proper notification procedures if any personal information was compromised.

posted by Rich Miller
Thursday, Jul 21, 16 @ 12:34 pm

Comments

1. SQL injection is not an advanced techique at all and only possible if your web page is poorly written.

   Comment by Union Dues Thursday, Jul 21, 16 @ 12:37 pm

2. Points to them for detecting this and their actions afterward. well done.

   Comment by Ghost Thursday, Jul 21, 16 @ 12:39 pm

3. I’m sorry this happened — but there’s very little excuse these days to not prevent a SQL injection attack. They’ve been — for years — a primary attack vector for publicly accessible websites.

   Another issue, though, and one that’s even more troubling — and something I don’t see in the post — is how the passwords were stored (encrypted? properly salted and then hashed?). They say the passwords need to be changed — and that’s good. But I hope — I hope — they’re stored properly.

   Comment by Formerly Known as Frenchie M Thursday, Jul 21, 16 @ 12:42 pm

4. So, an early story today was about,

   “Schneider complimenting Rauner’s campaign for helping get tons more data and info on IL voters”

   Hum? s/

   Comment by Bigtwich Thursday, Jul 21, 16 @ 12:58 pm

5. Probably China but funny on Rauner. China has been hacking huge amounts of medical data.No one really knows why

   Comment by illinois manufacturer Thursday, Jul 21, 16 @ 1:05 pm

6. *facepalm* You got breached by SQL Injection? Really?

   Comment by Skeptic Thursday, Jul 21, 16 @ 1:19 pm

7. Isn’t Vital Records, like birth certificates, etc., IDPH, not SBOE? Could it be Illinois Voter Registration System?

   Comment by Jon Thursday, Jul 21, 16 @ 1:32 pm

8. I don’t know what this all means but it sounds quite bad.

   Comment by Honeybear Thursday, Jul 21, 16 @ 1:47 pm

9. SQL injection is hacking 101. The superstars at the newly created division of IT definitely dropped the ball here. “Phony” superstars.

   Comment by PENSIONS ARE OFF LIMITS Thursday, Jul 21, 16 @ 1:57 pm

10. The registration database is not private but is supposed to be available to anyone at any time. The key question is whether data was or could have been altered. If not, no harm, no foul.

    Comment by Rhino Thursday, Jul 21, 16 @ 3:42 pm

11. All snark aside, they need a guy like John Bambenek right now.

    Comment by Arthur Andersen Thursday, Jul 21, 16 @ 4:38 pm

12. Not happy to see this. As other said, it is not an advanced attack. Not happy to see the password standards that are in place. Considering the “sophistication” of the attack, the point raised by Formerly… is a definite concern. Would not be surprised that any encryption not be up to current standards and salting is probably out of the question.

    Comment by Downstate Libertarian Thursday, Jul 21, 16 @ 6:15 pm

13. These rookies need to figure out what information was obtained. I’m not going to tell them what constitutes a breach. I ain’t no superstar. Hint: PIPA

    Comment by PENSIONS ARE OFF LIMITS Thursday, Jul 21, 16 @ 9:33 pm

14. Rhino

    There is personal information in the database that is not publicly available. SQL injection gets that information from a poorly hosted website. Don’t argue for people who messed up. Ever.

    Comment by PENSIONS ARE OFF LIMITS Thursday, Jul 21, 16 @ 9:38 pm

15. Guess they should be thankful Little Bobby Tables isn’t of voting age yet.

    https://xkcd.com/327/

    Others have said it, but SQL injection is not a sophisticated attack.

    Is the IVRS more than just voter data?

    Comment by OneMan Monday, Jul 25, 16 @ 3:23 pm

Add a comment

Sorry, comments are closed at this time.

Previous Post: Get in front of it, already
Next Post: Unemployment rate down, but IDES still gloomy

Last 10 posts:

• Reader comments closed for the weekend (11-22)
• Isabel’s afternoon roundup (11-22)
• The Waukegan City Clerk was railroaded (11-22)
• Whatever happened, the city has a $40 million budget hole it didn't disclose until now (11-22)
• Manar gives state agencies budget guidance: Cut, cut, cut (11-22)
• Roundup: Ex-Chicago Ald. Danny Solis testifies in Madigan corruption trial (11-22)
• Open thread (11-22)
• Isabel’s morning briefing (11-22)
• SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password) (11-22)
• Live coverage (11-22)

more Posts (Archives)

WordPress Mobile Edition available at alexking.org.

powered by WordPress.