A security researcher has discovered a database of 191 million American voters including personal information unprotected on the internet due to misconfiguration, according to media reports. On December 20 DataBreaches.net was contacted by Chris Vickery, who provided a screen shot of his own information from a database with over 191 million records, but despite the involvement of the FBI and the California Attorney General’s Office, the database is still accessible and its owner a mystery.
Voter lists can be legally obtained in many states, with wide ranging restrictions and fees. According to DataBreaches.net some of the information is public, but some is non-public, and the public accessibility of the database violates laws such as a California statute barring distribution of voter registration information outside the US, and its “unrestricted access on the internet” makes it a violation of South Dakota law.
“The alarming part is that the information is so concentrated,” Vickery told VentureBeat.
In addition to law enforcement agencies, campaign software provider NationBuiilder was informed of the vulnerability, but a representative told DataBreaches.net that the database’s IP did not belong to it or any of its hosted clients. Unique data field labels, however, suggest that it contains data from NationBuilder, and therefore is the likely the property of a NationBuilder client.
Vickery and DataBreaches.net reached out to Steve Ragan of “Salted Hash” on CSO Online for help identifying the responsible party and plugging the leak. Ragan reports that “the data is housed as part of a Linux build,” and that each of the several political data firms he contacted denied ownership of the database.
While most of the information appears to be public, the lack of control over its access is clearly a breach of privacy and law. Even more troubling is the inability of researchers to discover the owner. If the database is the property of a candidate, voters may want to consider that candidates effectiveness in handling information security.
Vickery had been searching the internet for database vulnerabilities after discovering 3.3 million member records for a “Hello Kitty” fan site exposed by server misconfiguration earlier this month.