UpGuard’s Cyber Risk Team can now disclose that a data repository owned and operated by Omaha-based voting machine firm Election Systems & Software (ES&S) was left publicly downloadable on a cloud-based storage site, exposing the sensitive data of 1.8 million Chicago voters. The database, which included voter names, addresses, phone numbers, driver’s license numbers, and partial Social Security numbers, appeared to have been produced around the time of 2016 general election for the Chicago Board of Election Commissioners, an ES&S customer since 2014.
This data exposure highlights the continuing danger of sensitive voter information being exposed to the public internet by third-party vendors hired by party organizations and electoral supervisors to assist in their efforts. While ES&S’s prompt remediation of the breach is welcome news, the breadth of the exposure, affecting virtually every registered Chicago voter, is a stark reminder of how endemic cyber risk is to any process with a digital surface - including, in recent years, the processes of democracy.
On August 11th, 2017, UpGuard Director of Strategy Jon Hendren discovered an Amazon Web Services S3 bucket configured for public access, the contents almost entirely downloadable to anyone accessing the bucket’s web address. Located at the AWS S3 subdomain “chicagodb,” the main repository contains two folders, “Final Backup_GeneralNov2016” and “Final Backups_6_5_2017,” as well as a 12 GB MSSQL database file. Many of the file names indicated the name of ES&S, one of the nation’s most prominent provider of voting machines and associated software.
Following Hendren’s notification of the discovery to UpGuard Director of Cyber Risk Research Chris Vickery, Cyber Risk Team analysis revealed that this 12 GB file, as well as a 2.6 GB file and a 1.3 GB file stored in each folder, each constitutes a separate copy of a database containing the personal information of 1.864 million Chicago voters. After notifying the affected municipality, the exposure was closed on the evening of August 12th.
While the databases contain a large number of SQL tables, with file names including such phrases as “BallotImages,” “polldata_summary,” and “pollworker_times,” of perhaps greatest interest is the table set titled “dbo.voters.” This data set lists the 1.864 million Chicago voters, each assigned a unique, internal voter ID, as well as their names, addresses, dates of birth, and more identifying details across dozens of columns. This reporter, a Chicago resident and registered voter, verified the data’s accuracy by looking himself up.
A redacted image of the “dbo.voters” data set, with sensitive details redacted.
The column “Status,” with possible inputs of “A” or “I,” likely refers to whether the voter in that row is active or inactive. As Chicago only had 1.5 million active voters as of the November 2016 election, the listing of inactive voters in this database likely accounts for the discrepancy in numbers - indicating that this most likely constitutes a comprehensive list of all of Chicago’s voters.
While all of the unique IDs in the database are associated with the voters’ names, addresses, gender, and DOBs, as well as more logistical electoral information, for most of those listed, more sensitive data is also included. Most of the rows also contain the voters’ driver’s license numbers and phone numbers. Perhaps most critically, the last four digits of the Social Security numbers of all 1.8 million people are also in the data set, a highly sensitive type of data often used as PIN codes or for verification purposes.
As previously seen with the UpGuard Cyber Risk Team’s discovery of the much larger exposure of 198 million US potential voters by a Republican National Committee vendor, the danger of voter data being unwittingly exposed by private companies tasked with its storage remains a real threat, one that transcends any partisan concerns. Such government contractor risk is an avenue by which data used by the government for public processes might leak onto the internet. As more and more functions of daily life shift to a digital footing, so too grows the surface for a potential cyber attack, no matter whether this cyber risk is shifted off to a third-party vendor. Cyber risk is business risk, and a third party vendor’s cyber risk is the main enterprise’s business risk as well. Without a means of cyber risk scoring for potential partners, enterprises will have no idea how securely their data will be handed if shared. ES&S’s CSTAR cyber risk score of 428, out of a possible 950, indicates the middling security posture to which this data was entrusted.
ES&S's CSTAR external scan.
In the case of this breach, as well as others, this data was only exposed because the Amazon S3 bucket in question was configured to allow public access, permitting anyone accessing the repository’s URL to download its contents. AWS default settings are built to ensure that only authorized employees are able to access this data. Should this access configuration be changed, the IT enterprise in question must have processes in place to ensure such exposures are caught and remediated.
The rapid closure of this breach by ES&S, and the ready cooperation of the City of Chicago in securing this data, is good news for all registered voters in the city. Once an exposure is found to have happened, it is imperative to move swiftly to foreclose upon the possibility of any exploitation of the data by malicious actors. However, for real cyber resilience to take hold, IT enterprises must begin to craft processes capable of checking and validating any such openings before it reaches the public internet, lest the barn door be closed only after the horse has bolted.