Databases containing sensitive voter information from multiple counties in Illinois were openly accessible on the internet, revealing 4.6 million records that included driver's license numbers as well as full and partial Social Security Numbers and documents like death certificates. Longtime security researcher Jeremiah Fowler stumbled upon one of the databases that appeared to contain information from DeKalb County, Illinois, and subsequently discovered another 12 exposed databases. None were password protected nor required any type of authentication to access.
As criminal and state-backed hacking becomes ever more sophisticated and aggressive, threats to critical infrastructure loom. But often, the biggest vulnerabilities come not from esoteric software issues, but from gaping errors that leave the safe door open and the crown jewels exposed. After years of efforts to shore up election security across the United States, state and local awareness about cybersecurity issues has improved significantly. But as this year's US election quickly approaches, the findings reflect the reality that there are always more oversights to catch.
“I’ve found voter databases in the past, so I kind of know if it's a low-level marketing outreach database that someone has purchased,” Fowler tells WIRED. “But here I saw voter applications— there were actually scans of documents, and then screenshots of online applications. I saw voter rolls for active voters, absentee voters with email addresses, some of them military email addresses. And when I saw Social Security numbers and driver’s license numbers and death certificates I was like, ‘OK, those shouldn’t be there.’”
Through public records, Fowler determined that all of the counties appear to contract with an Illinois-based election management service called Platinum Technology Resource, which provides voter registration software and other digital tools along with services like ballot printing. Many counties in Illinois use Platinum Technology Resource as an election services provider, including DeKalb, which confirmed its relationship with Platinum to WIRED.
Fowler reported the unprotected databases to Platinum on July 18, but he says he didn't receive a response and the databases remained exposed. As Fowler dug deeper into public records, he realized that Platinum works with the Illinois-based managed services provider Magenium, so he sent a disclosure to this company as well on July 19. Again, he says he did not receive a response, but shortly after the databases were secured, pulling them from public view. Platinum and Magenium did not return WIRED's multiple requests for comment.
Platinum began distributing a notification, viewed by WIRED, to impacted counties on Friday. “We have evidence of a claim the file storage containing voter registration documents may have been scanned,” Platinum wrote, adding that the exposed databases do not indicate a deeper compromise of its systems. “There was a thorough investigation executed. The findings support our ongoing belief there is no evidence of voter registration forms being leaked or stolen … We used this opportunity to deploy new and additional safeguards around voter registration documents.”
Illinois's data breach notification law requires notification to the state within 45 days of an incident. A standard version of a Champaign County contract for technology services posted publicly through a Freedom of Information Act request requires a contractor to notify the impacted county within 15 minutes of identifying a data breach.
Fowler points out that while the exposed information would potentially make impacted individuals more susceptible to identity theft and other scams, it could also be abused to submit multiple absentee ballot requests or to conduct other suspicious activity that could call a voter's legitimate vote into question and take time to reconcile. But he adds that the death certificates and other documentation contained in the trove reflect the work election officials do all over the country to manage voter registrations and ensure that everyone's vote is accurately counted.
“There’s definitely progress on basic data security, and I don’t see stuff like this very often anymore,” Fowler says. “But I used the open and public internet and no specialized tools to find this. And at the end of the day, this is critical infrastructure that was exposed.”