Database leak exposes 191M voter registration records
UPDATE: Some time between Monday evening and Tuesday morning, Vickery reported that the database had been taken offline. Our initial story follows below. _____________________________________________________________________________________________________________
A white hat security researcher discovered a database filled with voter registration records on 191 million Americans — and that anyone with an Internet connection and the right IP address can access it.
Researcher Chris Vickery said the database carries 300 gigabytes of information going as far back as 2000 and contains each voter’s:
- First, middle and last name
- Home address
- Mailing address
- Phone number
- Date of birth
- Party affiliation
- Whether the person voted in primary or general elections
It does not contain information on who the person voted for. To validate the information, Vickery found his own records, which he said were accurate. He has since reached out to other researchers at DataBreaches.Net and CSO, which independently verified the information.
“It’s been a week since I found it, and it’s just alarming,” Vickery told FedScoop. “Immediately when I found it and realized what it could be, I thought to myself, ‘I have to figure out if this is real.’ So I looked myself up. Within a minute or so, I had found my personal info I registered with, all of it completely accurate, sitting there right in front my eyes, on a database that I had found randomly on the Internet that was controlled by some stranger.”
Vickery said the information was not stolen or leaked through some unidentified vulnerability.
“If you know the IP address, boom, you can access all of it,” Vickery said. “No authentication, no password, no security whatsoever involved.”
After independent analysis, DataBreaches.Net and CSO determined the data could be linked to political data firms. DataBreaches.Net reported finding unique IP addresses tied to NationBuilder.
In a statement emailed to FedScoop, NationBuilder CEO Jim Gilliam said the database is not theirs, but may have come from data the company makes available to campaigns for free.
“From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database,” the statement reads. “We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws. Each state has different restrictions, and we make sure that each campaign understands those restrictions before providing them with any data. It is vital that everyone running for office knows who is registered to vote in their district.”
Vickery has uncovered a number of open databases in the past few weeks: Data on 13 million MacKeeper software users was exposed by a leak in a MongoDB database, and Japanese toy company Sanrio leaked information on 3.3 million people.
It’s unclear if any of the information can be tied to “high risk professionals,” but Vickery said in a Reddit post that he uncovered information on some police officers in his hometown.
“If my information is out there, there is a lot of people that have better reasons to be private than I do, and their information is probably in there,” he said. “It seems like a whole country’s worth of registered voters information would be a national security issue.”
FBI and DHS issued a “no comment” when asked about the voter database.
[Read more: Could tech create a new voting experience?]
How voter information is protected varies by state. Some have no restrictions in place, while others prohibit commercial use or require the data be used for only political purposes.
Vickery said he has been in contact with law enforcement over his findings, partly due to the worry that this information could be used in all sorts of identity fraud, from phishing scams to robocalls.
“If a group gets a hold of this, they have phone numbers for the rest of their lives to call,” Vickery told FedScoop.
He is also worried about criminals cross referencing this information with other compromised personally identifiable information, including the data on more than 22 million current and former federal employees exposed by the Office of Personnel Management breaches.
“Combine those two together, and you could have some powerful information,” he said.
Update, 2:32 p.m.: This story was updated with a statement from NationBuilder CEO Jim Gilliam.
Update, 12/29/15, 10:15 a.m.: Added information that the database was taken down.
Contact the reporter on this story via email at email@example.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.