An election systems company accidentally left personal information on what appeared to be almost 2 million current and former Chicago voters online without any form of security.
The voter rolls contain information for more than 1.8 million people, including their names, dates of birth, state ID numbers, and the last four digits of their Social Security numbers.They don’t include voting histories. Researchers at UpGuard are responsible for discovering a number of major data leaks from publicly available databases online, including millions of people’s information from a GOP analytics company and Verizon.
Allen said the data turned out to be backup files stored on an outside server for Election Systems & Software, the vendor that manages the polling books.
UpGuard said the data exposure “highlights the continuing danger of sensitive voter information being exposed to the public internet by third-party vendors hired by party organizations and electoral supervisors to assist in their efforts”.
Jim Allen, a spokesman for the Chicago elections board, said it was unknown how long the unsecured files had been accessible on the server. The files were immediately secured and the server was shut down on Saturday after ES&S was alerted to the leak. It also recently discovered critical infrastructure data exposed by a Texas energy firm.
“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly”, Chicago Election Board Chairwoman Marisel A. Hernandez said in a statement. “This was a violation of the contract terms that explicitly lay out the requirement to safeguard the voters’ data”.
“It’s not a server that we manage or control in any way, shape or form. We are taking steps to make certain this can never happen again”.
The database operated by ES&S was secured within 24 hours of Upguard alerting the company of the issue, but it’s almost impossible to say if Upguard’s researchers were the first to access the data-or what the intentions of others may have been.
“For real cyber resilience to take hold, IT enterprises must begin to craft processes capable of checking and validating any such openings before it reaches the public internet, lest the barn door be closed only after the horse has bolted”.