It has happened again, more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.
The voter records were left openly accessible online due to a misconfiguration in AWS-hosted storage.
Once again, the huge trove of records was spotted by the popular UpGuard researcher Chris Vickery. The archive contained records the ES&S collected from recent elections in Chicago, Illinois.
“As part of an effort to find unsecured files on Amazon Web Services (AWS) server platforms, a private researcher completed a download of the Election Systems & Software (ES&S) backup files of voter data that were prepared for Chicago’s electronic pollbooks and stored on the AWS platform.” reads the statement issued by ES&S. “The voter data in the backup files included about 1.8 million names, addresses, dates of birth, partial Social Security numbers, and in some cases, driver’s license and state ID numbers.”
The records included voters’ names, addresses, dates of birth, and partial social security numbers. In some cases, the records also included drivers’ licenses and state ID numbers.
“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” reads the statement issued by the ES&S.
“These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”
Vickery alerted ES&S on August 12, he discovered the data while investigating sensitive data insecurely hosted on AWS.
The cloud system was taken down four hours after the expert notified it to the company which supplies voting machines and backend services to more than 40 US states.
Açcording to UpGuard, the vulnerable service was an AWS S3 instance accidentally set up to be open to the public. At the time I was writing we have news of the leakage only of Chicago’s voters’ data was exposed.
Chicago’s election board, meanwhile, was concerned by the discovery but appreciated the efforts of ES&S in promptly respond the incident.
“We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server,” reads a statement issued by the Chicago Election Board chairwoman Marisel Hernandez.
“We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – voter records, election)
[adrotate banner=”13″]
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.