[BreachExchange] US Voting Machine Supplier Leaks 1.8 Million Chicago Voter Records [Updated]

Fri Aug 18 09:20:55 EDT 2017

http://gizmodo.com/us-voting-machine-supplier-leaks-1-8-million-chicago-vo-1797947510

A leading US supplier of voting machines confirmed on Thursday that it
exposed the personal information of more than 1.8 million Illinois
residents.

State authorities and the Federal Bureau of Investigation were alerted this
week to a major data leak exposing the names, addresses, dates of birth,
partial Social Security numbers, and party affiliations of over a million
Chicago residents. Some driver’s license and state ID numbers were also
exposed.

Jon Hendren, who works for the cyber resilience firm UpGuard, discovered
the breach on an Amazon Web Services (AWS) device that was not secured by a
password. The voter data was then downloaded by cyber risk analyst Chris
Vickery who determined Election Systems & Software (ES&S) controlled the
data. ES&S provides voting machines and services in at least 42 states.

Gizmodo spoke briefly with Chicago officials regarding the matter on
Saturday. The city did not immediately respond to a request for comment on
Thursday after ES&S posted about the leak on its website. A spokesman for
US Senator Dick Durbin of Illinois also confirmed on Saturday that the
senator had been made aware of the situation.

ES&S was notified this week by the FBI and began its own “full
investigation” with UpGuard’s assistance, “to perform thorough forensic
analyses of the AWS server,” the company said in a statement, adding that
the investigation is still ongoing.

ES&S said the AWS server did not include “any ballot information or vote
totals and were not in any way connected to Chicago’s voting or tabulation
systems.” The company stressed that the leak had “no impact on the results
of any election.”

An ES&S electronic poll book—a kind of device used to check in voters on
Election Day—was toyed with by hackers at the Defcon security conference
this year in Las Vegas. As Gizmodo exclusively reported, the hackers
discovered loaded on the device the personal records of 654,517 people who
voted in Shelby County, Tennessee, including names, addresses, birthdates,
and political party. The poll book was purchased on eBay. (ES&S did not
respond to requests for comment for this story.)

As reported by Gizmodo in June, UpGuard previously discovered a massive,
unsecured database leaking the personal information of nearly 200 million
US registered voters online. That leak was tied to Deep Root Analytics, a
conservative data firm contracted by the Republican National Committee
during the 2016 election.

Update, 3:52pm: Chicago Election Board Chairwoman Marisel Hernandez said in
statement: “We are deeply troubled to learn of this incident, and very
relieved to have it contained quickly. We have been in steady contact with
ES&S to order and review the steps that must be taken, including the
investigation of ES&S’s AWS server. We will continue reviewing our
contract, policies, and practices with ES&S. We are taking steps to make
certain this can never happen again.”

Update, 4:05pm: UpGuard CEO Mike Baukes told Gizmodo: “ES&S was able to
secure the data promptly and issue a public statement with the details of
the exposure, aiding the UpGuard Cyber Risk Team in our mission of ensuring
that exposed information is secured. By working with enterprises like ES&S
to swiftly close such exposures, UpGuard will continue to raise awareness
about the issues of cyber risk affecting the digital landscape today.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170818/f8eab20c/attachment.html>