Cybersecurity researcher Jeremiah Fowler discovered and reported to VpnMentor about 13 non-password-protected databases containing 4.6 million documents, including sensitive voter records and election-related documents.
This breach raises significant concerns about data protection and the security of election systems in the United States.
Discovery of the Breach
Jeremiah Fowler’s investigation began when he stumbled upon a non-password-protected database containing various documents such as voting records, ballot templates, and voter registrations.
All physical addresses in the database appeared to be from a single county in Illinois.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Fowler’s further analysis revealed that by simply replacing the county name in the database name format, he could identify 13 open and publicly accessible databases and 15 that were not publicly accessible.
The exposed databases contained .csv documents with lists of available or active voters, absentees, early mail-in voting records, and duplicate voters.
More alarmingly, some documents marked as “voter records” included compassionate personal information such as full names, physical addresses, email addresses, dates of birth, Social Security Numbers (full and partial), and driver’s license numbers.
The database also contained voter registration applications, death certificates, change of address records, and candidate documents with personal contact details.
Upon identifying the dataset’s owner, Fowler suspected that multiple counties could be inadvertently exposing voter and election records. He discovered that these counties had contracts with Platinum Technology Resource, which provides various election-related services.
Fowler sent a responsible disclosure notice to Platinum Technology Resource. However, the database remained publicly accessible even after his initial report.
Fowler then contacted Magenium, an Illinois-based technology company responsible for the technical support of Platinum Election Services. Following his responsible disclosure notice to Magenium, the databases were restricted.
A representative from Magenium confirmed the databases’ closure and that Platinum Election Services was aware of the situation.
It remains unknown how long the documents were exposed or if anyone else gained access, with only an internal forensic audit capable of identifying additional access or suspicious activity.
Exposure to such sensitive information poses significant risks beyond the political sphere. Criminals could potentially use the information intended for voter registration to commit identity theft and various forms of fraud.
The exposed data could also be used for targeted social engineering attacks, voter intimidation, and disinformation campaigns.
To mitigate these risks, Fowler recommends that organizations managing sensitive documents use unique formats and names that are difficult to guess.
He also suggests combining access controls and encryption, such as using access tokens to generate unique, time-limited access for authenticated users.
This approach ensures that only authorized users can access or view the documents, limiting the potential for unauthorized access. This incident underscores the critical importance of robust data protection measures for election systems.
Maintaining public trust in the electoral process is paramount, and any breach of sensitive voter information can have far-reaching consequences.
Organizations handling such data must adopt best practices in cybersecurity to prevent future exposures and protect the integrity of the democratic process.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access