Posted on August 18, 2017 at 12:20 PM
A leading supplier of voting machines in the US confirmed the exposure of personal information of almost 2 million Illinois residents.
The major data leak included the names, dates of birth, addresses, party affiliations and partial Social Security numbers of 1.8 million Chicago citizens, as well as some driver’s license and state ID numbers. State authorities and the Federal Bureau have been alerted.
The breach was discovered on an Amazon Web Service (AWS) device that did not have a password by Jon Hendren, an employee of the cyber resilience firm UpGuard. Afterward, cyber risk analyst Chris Vickery downloaded the voter data and discovered that Election Systems & Software (ES&S) controlled it. ES&S is the provider of voting machines and its services in more than 42 states.
After ES&S posted about the leak on their website on Thursday, the city of Chicago did not immediately respond to a request for comment, but did manage to speak about it briefly on Saturday, when it has been said that the US Senator Dick Durbin of Illinois was made aware of the situation.
The voting machine provider ES&S received a notice about the leak by the FBI and proceeded to begin its own investigation, along with the assistance of UpGuard. The company said in a statement that they will be performing thorough forensic analyses of the AWS server and that the investigation is still ongoing.
The provider also said that the AWS server did not hold any information on ballots or vote totals, and was not connected to voting or tabulation systems of Chicago. ES&S also made it clear that the leak did not, in fact, had any impact on the results of any election.
Earlier this year, at DefCon security conference held in Las Vegas, hackers played with an ES&S electronic poll book, which is a device used to check in voters on Election Day. As previously reported, the hackers dug up personal records of 654,517 people who voted in Shelby County, Tennessee on the device. The personal data included names, birthdates, addresses and political party. The poll book has been proven to be purchased on eBay. The manufacturer did not respond to a request for comment.
This June, UpGuard stumbled upon a huge unsecured database that held personal information of 200 million US registered voters online and found it leaking. The leak was then connected to Deep Root Analytics, which is a conservative data firm contracted by the Republican National Committee during the 2016 election.
Chicago Election Board Chairwoman Marisel Hernandez made an official statement, saying that the city officials are deeply troubled by this incident but relieved it had been contained in a short amount of time. She also said that they have been in contact with the provider so they could review the steps that should be taken, which includes the investigation of ES&S’s AWS server. They are taking steps to make sure this never happens again, she added.
UpGuard CEO Mike Baukes also made a statement, saying that the provider was able to secure data in a short amount of time and send out a public statement that contained details of the exposure which in response helped UpGuard’s team to ensure that the information leak is secured.