[BreachExchange] Sacramento Bee Leaks 19.5 Million California Voter Records, Promptly Compromised by Hackers

[Inga Goddijn]

https://gizmodo.com/sacramento-bee-leaked-19-5-million-california-voter-rec-1822835127

Last month, a local California newspaper left more than 19 million voter
records exposed online. Gizmodo confirmed this week that the records were
compromised during an apparent ransomware attack.

The *Sacramento Bee* said in a statement that a firewall protecting its
database was not restored during routine maintenance last month, leaving
the 19,501,258 voter files publicly accessible. Additionally, the names,
home addresses, email addresses, and phone numbers of 52,873 Sacramento Bee
subscribers were compromised.

“We take this incident seriously and have begun efforts to notify each of
the individuals on the contact list and to provide them resources to help
guard against potential misuse of their personal contact information,” the
paper said in a statement. “We are also working with the Secretary of
State’s office to share with them the details of this intrusion.”

The Kromtech Security Center first discovered the data on January 31st
<https://mackeepersecurity.com/post/california-voter-database-leaked-again-with-more-data-at-risk>
and reviewed records from several of the exposed databases before
determining who owned the data. Kromtech reached out immediately to
multiple employees in the *Bee*’s IT department but received no response.

Gizmodo was notified about the breach on February 2nd and reached out to an
executive editor at the *Bee*. Our email was not returned. After emailing
two other members of the *Bee*’s editorial board on Monday—including Gary
Wortel, the paper’s president and publisher—Gizmodo was contacted by a
public relations director at The McClatchy Company, the *Bee*’s owner.

A McClatchy spokesperson said the executive editor first contacted by
Gizmodo had left the paper day our email was sent.

McClatchy provided an initial statement on Tuesday, saying it had “strict
protocols in place to ensure the security of our data” and that it was
“aware of a ransomware attack on one of our servers that was located
outside our core IT structure.” The spokesperson added: “We know that in
databases apparently targeted, no personally identifiable information, as
defined by the State of California, was involved.”

Below is a sample of a leaked voter record, with personal information
redacted. It contains the voter’s name, phone number, address, gender, date
of birth, political affiliation, among other election-related details.

The subscriber database includes only residents who subscribed to the paper
prior to 2017, the paper said.

Another database labeled “users” contained approximately 55,000 records.
Samples provided by Kromtech revealed names, email addresses, and IP
addresses.

The *Bee* said it did not pay the ransom and instead deleted the databases
to prevent further intrusions.

On Tuesday afternoon, McClatchy requested additional time to investigate
the intrusion. Gizmodo agreed and asked for additional details about the
type of ransomware involved. The hope was to determine whether the
ransomware used in the attack was the same variety involved in a separate
recent incident
<https://gizmodo.com/stolen-california-voter-database-held-for-bitcoin-ranso-1821325023#_ga=2.139854515.1266398847.1518104649-1285737031.1493667211>,
which compromised 19.2 million California voter records in December.

The question is whether the same actor is targeting California voter
records specifically. It is also possible the incidents are unrelated.

However, the *Bee *did not provide Gizmodo with additional information
about the ransomware. Instead, on Wednesday night, without notice, the
paper ran its own story about the breach. “I hope you understand that our
executive team felt strongly that the *Bee* should inform its readership,
some of whom may be affected by this intrusion, as soon as we felt we
understood the boundaries of the incident,” the McClatchy spokesperson said
after the publication of the *Bee*’s story.

“California law provides prohibitions and criminal penalties for the misuse
or improper acquisition of voter registration information,” a spokesperson
at the California Secretary of State’s office told Gizmodo on Tuesday.

Under state law, access to voter data is restricted; however, journalists,
political campaigns, and academic researchers can acquire the data for
certain purposes. The data provided does not include Social Security
numbers, driver’s license numbers, or state ID numbers. Sharing the data or
obtaining it without authorization is illegal.

California’s administrative
<https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=ID110BE30D49311DEBC02831C6D6C108E&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)>
and election
<https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=18109.&lawCode=ELEC>
codes appear written primarily to penalize individuals who acquire voter
data without permission or use it in unauthorized ways, such as for
commercial gain. It’s unclear if those rules and the corresponding
penalties apply to those who negligently handle voter data or allow
unauthorized persons to access it unintentionally.

In a statement published by the *Bee*, the Secretary of State’s office
said: “McClatchy confirmed that the *Sacramento Bee*’s server was breached.
The Secretary of State’s office takes any allegation of improper use of
voter data very seriously, and continues to work with the *Sacramento Bee*
and McClatchy to gain a full picture of this incident. Our office has also
notified law enforcement.”

With regard to the voter data, the *Bee* wrote: “It’s not the first time
this information has been exposed on the public internet.” By Gizmodo’s
count, however, the previous leak in December contained 237,135 fewer voter
records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/5e37621d/attachment.html>