40M UK Voter Register Records Were Stolen in Preventable Security Breach
Published on August 6, 2024
Several databases from multiple Illinois counties containing sensitive voter and candidate information were found publicly accessible online by cybersecurity researcher Jeremiah Fowler as this year's U.S. election quickly approaches. These hosted 4.6 million documents and belonged to a tech contractor that left the sensitive data unprotected without enforcing any authentication or passwords.
The security researcher freely accessed critical infrastructure without specialized tools, uncovering 13 exposed databases, which raises questions about election security in 2024.
The exposed data include voter records, ballots, lists, and election records with personally identifiable information (PII), full and partial Social Security Numbers (SSN), driver's licenses, and voter IDs, as well as death certificates and more.
Scans of voter applications, screenshots of online applications, and voter rolls for active voters were found in these databases, as well as absentee voters’ email addresses, some of which were military emails.
The database also contained candidate documents, which held personal phone numbers, email addresses, home addresses, candidate loyalty oaths, economic interests, petitions with voters’ signatures and addresses, and more. Even worse, official ballot templates for primaries and general elections were also exposed.
Public records revealed all the affected counties work with the Illinois-based election management service Platinum Technology Resource. The tech provider offers voter registration software and other digital tools, as well as various services such as ballot printing.
Platinum works with the Illinois-based managed services provider Magenium, and the security researcher sent disclosures to both companies on July 18 and 19, respectively. The databases were secured and made private shortly after, even though neither of the two responded.
Platinum began distributing a notification to impacted counties on Friday acknowledging the data breach. The note also mentioned that their systems weren’t breached and that no evidence of document leak was found.
The U.S. law requires a contractor to notify the impacted county within 15 minutes of identifying a data breach, and Illinois's data breach notification law requires notifying the state within 45 days.