Mysterious Data Breach Exposes 191 Million Voter Records
When it comes to voting, there are basically two arguments: a civic one, which states that voting is the moral duty of every able citizen in a democracy, and an economic one, which states that voting is a fruitless endeavor in a game with terrible odds. Perhaps the economists had the right of it. A massive database with 191 million voter records has made its way online, and the strangest part is, no one can quite figure out who put it there or when it will be taken down.
Chris Vickery, an independent security researcher, discovered the database and reported it to DataBreaches.net, which keeps track of huge online security gaffes, just as the name suggests. From there, Vickery and DataBreaches worked together with Steve Ragan of security news blog Salted Hash to investigate where the information comes from, how it got online and how to get rid of it.
First, the bad news: The data breach is massive, and contains tons of information that you'd probably rather keep private. Every state compiles voting records after each election, and while the information is not usually public, it's not impossible to obtain legally, either. In order to vote, citizens disclose their names, addresses, birth dates, genders, ethnicities, dates of voter registration, party affiliation, e-mail addresses (optional) and party affiliations.
It gets worse: The database contains records of the candidates for whom people voted since 2000.
From there, the government adds a voter ID number, information about absentee voter status and whether or not a person is on the Do Not Call list. It gets worse, however: The database also contains records of the candidates for whom people voted since 2000.
It's not all doom and gloom, however. The voting records do not include driver's license numbers, social security numbers, financial records or any kind of familial information. There's no password associated with an online account, either, even if a voter gave his or her e-mail address. This means that the potential for fraud is more limited than, for example, a well-executed phishing attack. On the other hand, it's an ideal way to look up full addresses and phone numbers for private citizens who'd probably rather not be found, like police officers and stalking victims.
Vickery, Ragan and DataBreaches have a fascinating detective yarn underway right now to discover who put together and leaked the database, but the bottom line is that no one knows. Whether the database is online due to malfeasance or carelessness is also not clear. Some of the information gathered so far points toward Nation Builder, a political data collection group, but the company denies any wrongdoing.
In the meantime, the researchers have contacted the FBI and the California Attorney General's Office, since both states have strict regulations on what kind of voter data can and cannot be shared. These organizations may be able to take the database offline, but have not done so just yet. (For obvious reasons, the researchers have not shared where they found the database.)
As far as what individual citizens can do to protect their identities, the answer is "not much." The good news is that there's no immediate danger for most people, since there's no compromising financial or online data. Most of this information, a reasonably tech-savvy person could track down through a series of Google searches.
For others, who need to keep their addresses and phone numbers private for safety reasons, contacting your local law enforcement as a precautionary measure might not be a bad idea.