UpGuard’s Cyber Risk Team can now disclose that a data repository owned and operated by Omaha-based voting machine firm Election Systems & Software (ES&S) was left publicly downloadable on a cloud-based storage site, exposing the sensitive data of 1.8 million Chicago voters. The database, which included voter names, addresses, phone numbers, driver’s license numbers, and partial Social Security numbers, appeared to have been produced around the time of 2016 general election for the Chicago Board of Election Commissioners, an ES&S customer since 2014.
This data exposure highlights the continuing danger of sensitive voter information being exposed to the public internet by third-party vendors hired by party organizations and electoral supervisors to assist in their efforts. While ES&S’s prompt remediation of the breach is welcome news, the breadth of the exposure, affecting virtually every registered Chicago voter, is a stark reminder of how endemic cyber risk is to any process with a digital surface - including, in recent years, the processes of democracy.
On August 11th, 2017, UpGuard Director of Strategy Jon Hendren discovered an Amazon Web Services S3 bucket configured for public access, the contents almost entirely downloadable to anyone accessing the bucket’s web address. Located at the AWS S3 subdomain “chicagodb,” the main repository contains two folders, “Final Backup_GeneralNov2016” and “Final Backups_6_5_2017,” as well as a 12 GB MSSQL database file. Many of the file names indicated the name of ES&S, one of the nation’s most prominent provider of voting machines and associated software.
Following Hendren’s notification of the discovery to UpGuard Director of Cyber Risk Research Chris Vickery, Cyber Risk Team analysis revealed that this 12 GB file, as well as a 2.6 GB file and a 1.3 GB file stored in each folder, each constitutes a separate copy of a database containing the personal information of 1.864 million Chicago voters. After notifying the affected municipality, the exposure was closed on the evening of August 12th.
While the databases contain a large number of SQL tables, with file names including such phrases as “BallotImages,” “polldata_summary,” and “pollworker_times,” of perhaps greatest interest is the table set titled “dbo.voters.” This data set lists the 1.864 million Chicago voters, each assigned a unique, internal voter ID, as well as their names, addresses, dates of birth, and more identifying details across dozens of columns. This reporter, a Chicago resident and registered voter, verified the data’s accuracy by looking himself up.
A redacted image of the “dbo.voters” data set, with sensitive details redacted.
The column “Status,” with possible inputs of “A” or “I,” likely refers to whether the voter in that row is active or inactive. As Chicago only had 1.5 million active voters as of the November 2016 election, the listing of inactive voters in this database likely accounts for the discrepancy in numbers - indicating that this most likely constitutes a comprehensive list of all of Chicago’s voters.
While all of the unique IDs in the database are associated with the voters’ names, addresses, gender, and DOBs, as well as more logistical electoral information, for most of those listed, more sensitive data is also included. Most of the rows also contain the voters’ driver’s license numbers and phone numbers. Perhaps most critically, the last four digits of the Social Security numbers of all 1.8 million people are also in the data set, a highly sensitive type of data often used as PIN codes or for verification purposes.
In the case of this breach, as well as others, this data was only exposed because the Amazon S3 bucket in question was configured to allow public access, permitting anyone accessing the repository’s URL to download its contents. AWS default settings are built to ensure that only authorized employees are able to access this data. Should this access configuration be changed, the IT enterprise in question must have processes in place to ensure such exposures are caught and remediated.
The rapid closure of this breach by ES&S, and the ready cooperation of the City of Chicago in securing this data, is good news for all registered voters in the city. Once an exposure is found to have happened, it is imperative to move swiftly to foreclose upon the possibility of any exploitation of the data by malicious actors. However, for real cyber resilience to take hold, IT enterprises must begin to craft processes capable of checking and validating any such openings before it reaches the public internet, lest the barn door be closed only after the horse has bolted.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems. Keep Reading
Join the newsletter to receive UpGuard Breach Analysis post alerts via email
Cyber Risk Analyst
As a security researcher, Chris possesses a long track record of professional distinction and success discovering major data breaches and vulnerabilities across the cyber landscape. Previous achievements have included reports on the online exposure of hundreds of thousands of patient medical records, an illegal spam operation insecurely storing 1.4 billion target email addresses, a series of unsecured MongoDB databases which threatened the security of millions of internet users, and a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens. As a researcher and analyst, Chris has helped to protect the most sensitive data of hundreds of millions of people, while raising awareness of the looming issues of cyber risk.
Cyber Resilience Analyst
Dan’s writing and journalism has appeared in VICE, Rolling Stone, Salon, The Daily Beast, Gawker, and Deadspin. His essay for Jacobin about labor exploitation in professional wrestling was anthologized in The Best American Sports Writing 2015. As a writer and analyst, Dan communicates the most important and relevant lessons of data breaches to both technically-proficient readers and to a general audience of those most affected by cyber risk.