21st Century Whodunnit: Leak Exposes Info on Every American Voter



Call it a 21st century whodunnit. A researcher discovers leaked data identifying 190 million registered voters. The question: whose data is it?

A researcher uncovered one of the biggest data leaks ever in late December when he stumbled on a database containing information on some 190 million registered voters in the U.S. But, in a sign of the times: it's not clear whose data was lost, or if the leak is a crime.

As reported over at Databreaches.net, researcher Chris Vickery first reported discovering the data on December 20th and was shocked to find his own registration information among the leaked data. The data was exposed as a result of a misconfiguration in the database server that it was stored in. Anyone with access to the Internet and the knowledge of where to look could find it.

In all, Vickery said, there was information on 191,337,174 voters. If true, that is greater than the total of all registered voters in the U.S., which is estimated at 142 million individuals, according to U.S. Census data. There’s no explanation of the additional 50 million voters – though it’s certainly possible that the same individual might be registered to vote in more than one jurisdiction.

The 50 million extra voters isn’t the only mystery – or even the biggest mystery, however. At the top of the list of questions that need to be answered: to whom does the exposed database belong? Vickery worked with journalist Steve Ragan over at the Salted Hash blog to try to track down the answer to that question. Initial speculation focused on the firm NationBuilder, a Los Angeles-based company co-founded by Sean Parker of Napster (and Facebook) fame. That was based on clues within the exposed database, including a unique record ID that identifies each voter. According to Databreaches.net, however, NationBuilder has denied any connection to the IP address of the exposed database server on behalf of the company or its hosted customers.

Does that mean the data isn’t NationBuilder’s? No – in fact it almost certainly is. As Ragan points out: the data could belong to any one of an unknown number of downstream consumers of NationBuilder, who paid for the company’s database of registered voters, then used it as the foundation of some as-yet-unknown voter identification or marketing program. One identified user in the leaked database, for example, is a PAC (political action committee) linked to a sitting congressman. A staffer for that congressman said that the database was unlikely to be theirs because “they only worked regionally, not nationally,” Ragan reported. Hmm…

This is just the latest dust-up linked to loosely secured databases of voter information. The presidential campaign of Senator Bernie Sanders was forced to apologize for a foray into voter data compiled by the campaign of his rival for the Democratic party nomination, Hillary Clinton. That, following an update by the firm that manages the database for the Democratic National Committee, a firm called NGP VAN.

It will also not be the last voter-related breach we’ll read about as the U.S. ramps up for the presidential race in November of next year and down-ticket races for Senate, the House of Representatives and state and local races. As the two, successful campaigns of President Obama illustrated: data is the fuel that runs successful campaigns and the list of firms offering variations of what NationBuilder offers is long. However, while firms like NationBuilder are responsible for the security of the data they manage and host, their responsibility ends once the data is transferred to customers. And the list of PACs, SuperPACs and campaigns with an interest in voter data is much, much, much longer than the list of organizations with the know-how to properly secure it from prying eyes.

The final point, of course, is that much of data exposed and then discovered by Mr. Vickery is – in fact – public data. Information like a voter’s name, address, party affiliation and his or her record of voting in recent elections is all available for free – or nearly so – at your local town clerk.

As Databreaches.net points out, federal law and many states consider such data public information. Its “exposure,” therefore, doesn’t constitute a crime. Other states – notably California – do protect certain pieces of voter information, however, meaning that a certain portion of the affected voters (around 17 million, by Vicker’s count) may have some legal recourse to get the information pulled offline.

If anything, the leak of voter data is a fitting coda to 2015: underscoring the inability of lawmakers and the private sector to find a way to balance the privacy rights of consumers and citizens against the insatiable hunger for more and more information. With each report of a hack or a breach, the circle of exposed citizens grows to encompass more and more people until, with breaches like this, it swells to encompass pretty much everyone. And maybe that’s a good place to start the new year: with recognition that we’re all victims of data breach. Now the question is: what to do about it?

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.