Personal data on more than 1.8 million Chicagoan voters was found exposed on a cloud-based storage site, available to anyone for downloading, researchers from UpGuard's Cyber Risk Team have reported.
According to an article posted Thursday on UpGuard's Breach analysis blog, the data repository is owned and operated by Omaha, Neb.-based voting machine firm Election Systems & Software (ES&S), and appears to have been created around the time of the 2016 U.S. election. The data breach involves voter names and ID numbers, addresses, phone numbers, driver's license numbers, and the last four digits of Social Security numbers.
On Aug. 11, UpGuard found the data residing on an Amazon Web Services (AWS) S3 bucket that was configured for public access. In June, UpGuard similarly uncovered a publicly exposed AWS S3 storage unit containing data on nearly 200 million registered U.S. voters, which was compiled by contractors working for the Republican National Committee.
By the evening of Aug. 12, ES&S had already resolved the breach by taking the server offline. Nevertheless, "This data exposure highlights the continuing danger of sensitive voter information being exposed to the public Internet by third-party vendors hired by party organizations and electoral supervisors to assist in their efforts," the UpGuard article stated.
ES&S was collecting this data on behalf of the Chicago Board of Election Commissioners.
“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel Hernandez, in a press release issued by the board. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S's AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”
"The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems," stated ES&S in a company blog post.
"These back-up files had no impact on any voters' registration records and had no impact on the results of any election," continued ES&S, noting that it has launched a full investigation and forensic analysis with the assistance of a third-party firm.
In its post, UpGuard specifically credits its director of strategy Jon Hendren with the breach discovery, while the ES&S and Chicago Board of Elections give kudos to UpGuard security researcher Chris Vickery in their respective statements. In recent months, UpGuard has also found publicly configured AWS S3 buckets hosting databases belonging to Dow Jones, the Department of Defense, and Verizon.
"The Chicago voter data exposure highlights the need for organizations to better understand the security practices of all parties in the data chain of custody," said Fred Kneip, CEO of cyber risk management company CyberGRX, in comments emailed to SC Media. "Who has your data and how well are they securing it, whether it is in the cloud or on-premises? Are they encrypting the data in an S3 bucket? These are critical factors that organizations need to understand about all third parties in their digital ecosystem in order to know which pose the most risk to their data.”
John Suit, CTO at data security company Trivalent, said in emailed comments that the breach "highlights the critical importance of data protection in the public sector... Citizens are putting their trust in government organizations to protect their voter data when they come to the polls. The only way to ensure their information is never exposed is with next-generation data protection solutions that protect citizens' data, even in the event of insider threat or hacker breach.”
Varun Badhwar, CEO and co-founder of cloud infrastructure security company RedLock, noted in emailed comments that Amazon's new service Macie, which uses machine learning to help businesses automatically discover, classify, and protect data stored in AWS S3 buckets, "will certainly reduce the number of breaches due to this specific issue. However, organizations still have a long way to go in ensuring that their public cloud environments are secure... Until all organizations are educated on best practices for public cloud security, and take advantage of tools that can automate the process and provide advanced threat detection, we'll continue to see consumers and business users pay the price.”