SAN FRANCISCO – Names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters were left exposed and publicly available online on an Amazon AWS server for an unknown period of time, the Chicago Board of Election Commissions said.
The database file was discovered on Friday by a security researcher at Upguard, a company that evaluates cyber risk. The company alerted election officials in Chicago on Saturday and the file was taken down three hours later. The exposure was first made public on Thursday.
The database was not overseen by the Chicago Board of Election but instead Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software to election officials nationwide.
The voter data was a backup file stored on Amazon’s AWS servers and included about 1.8 million names, addresses, dates of birth, partial Social Security numbers, and in some cases, driver's license and state ID numbers, Election Systems & Software said in a statement.
Amazon's AWS cloud service provides online storage, but configuring the security settings for that service is up to user and is not set by Amazon. The default for all of AWS' cloud storage is to be secure, so someone within ES&S would have had to choose to configure it as public.
The company is in the process of reviewing all procedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similar situations from occurring," it said in a statement.
No ballot information or vote totals were included in the database files and the information was not connected to Chicago's voting or tabulation systems, the company said.
“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel Hernandez. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server," she said.
The database was discovered by Upguard's director of strategy Jon Hendren. The company provides cyber surveillance and resilience support and routinely scans for open and misconfigured files online and on AWS, which is how the Chicago voter database was discovered.
The database also included an encrypted version of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable, said Henden.
“It would take a nation-state, but it could be done if you have sufficient computing power,” he said. “The worse case scenario is that they could be completely infiltrated right now,” he said.
The incident is an example of the potential problems raised by an increasingly networked and connected voting system whose security systems have not necessarily kept up — especially at a time when Russia is known to be probing U.S. election systems.
The exposure is much broader than the issue of personal information about 1.8 million Chicago voters being available online because Election Systems & Software is the largest vendor of voting systems in the United States, said Susan Greenhalgh, an election specialist with Verified Voting, a non-partisan election integrity non-profit.
“Not only does ES&S provide the voting equipment, in many jurisdictions ES&S programs and helps to run the equipment for election officials. If the breach in Chicago is an indicator of ES&S's security competence, it raises a lot of questions about their ability to keep both the voting systems they run and their own networks secure,” she said.
“Every copy of data is a liability, and as it becomes easier, faster, and cheaper to transmit, store, and share data, these problems will get worse,” said Ben Johnson, chief technical officer at California-based Obsidian Security, and a Chicago voter.
Given that Russia probed at least 38 state voter databases prior to the 2016 election according to federal officials, however obscure the Chicago data base might have been it still represented a risk, he said.
"It’s hard to say malicious actors have found the data, but it is likely some were already hunting for it. Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data," Johnson said.