Databases containing sensitive voter information for several Illinois counties have been exposed on the internet, revealing 4.6 million records including driver’s license numbers, full or partial Social Security numbers, death certificates and other documents. Longtime security researcher Jeremiah Fowler stumbled across one of the databases that appeared to contain information for DeKalb County, Illinois, and has since discovered 12 more exposed databases, none of which are password protected or require any authentication to access.
As criminal and state-sponsored hacks become increasingly sophisticated and aggressive, threats to critical infrastructure loom larger. But often the biggest vulnerabilities don’t come from arcane software issues, but from major errors that open the vault doors and put important information at risk. Years of work to strengthen election security across the United States have significantly improved state and local governments’ awareness of cybersecurity issues. But as this year’s U.S. elections rapidly approach, the survey results reflect the reality that there are always oversights to be overlooked.
“I’ve found voter databases in the past, so I can usually tell if they’re low-level marketing outreach databases that someone bought,” Fowler told WIRED. “But what I saw here were voter applications. There were actually scans of the documents, and screenshots of the online applications. I looked at voter rolls of active voters, absentee voters who had email addresses, some of which were military email addresses. And when I saw Social Security numbers, driver’s license numbers, death certificates, I thought, ‘Oh, these shouldn’t be here.'”
Through public records, Fowler found that all of the counties appear to have contracted with Illinois-based election management services company Platinum Technology Resources, which offers services like ballot printing, as well as voter registration software and other digital tools. Many Illinois counties use Platinum Technology Resources as their election services provider, and DeKalb County confirmed its relationship with the company to WIRED.
Fowler reported the unsecured database to Platinum on July 18, but received no response, and the database remained unsecured. As Fowler dug deeper into public records, he discovered Platinum had partnered with Illinois-based managed services provider Magenium, and sent the company a disclosure document on July 19. Again, he received no response, but it was shortly after the database was secured and no longer available to the public. Platinum and Magenium did not respond to multiple requests for comment from WIRED.
Platinum began distributing notices reviewed by WIRED to affected counties on Friday. “We have evidence of the allegations that file storage containing voter registration documents may have been scanned,” Platinum wrote, adding that the exposed database does not indicate a more serious breach of its systems. “A thorough investigation was conducted, and the findings support our continued belief that there is no evidence that voter registration forms were leaked or stolen. … We have taken this opportunity to implement new, additional safeguards regarding voter registration documents.”
Illinois’ data breach notification law requires notifying the state within 45 days of an incident, and a standard version of Champaign County’s technology services contract, released through a Freedom of Information Act request, requires contractors to notify affected counties within 15 minutes of discovering a data breach.
Fowler said the leaked information could make affected individuals more susceptible to identity theft and other fraud, or could be used to submit absentee ballot requests multiple times or engage in other questionable activities that could cast doubt on a voter’s legitimate vote and take time to resolve. But he added that the death certificates and other documents in the mountain represent the work that election officials across the country are doing to manage voter registration and make sure everyone’s vote is counted accurately.
“Basic data security has certainly improved, and we don’t see this kind of thing very often anymore,” Fowler said, “but I found this using the open, public internet, without any special tools. At the end of the day, this was critical infrastructure compromised.”
