More than 35 million voter records have been found for sale in a Dark Web forum containing information on voters from 19 states with prices ranging from $150 to $12,500.
This information was tallied by Anomali Labs researchers working in conjunction with Intel 471 which reported the records contain voter data including full name, phone numbers, physical addresses, voting history, and other unspecified voting data. The researchers noted that 23 million of the records came from just three states, which they did not name, with the remaining 12 million divided up among the remaining 16 states.
“To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including U.S. voters’ personally identifiable information and voting history,” Anomali and Intel 471 said.
If this data is combined with information derived from other breached databases there is a chance it could be used to disrupt the electoral process or pursue large-scale identity theft, the report stated.
The states are:
Perhaps due to the cost, several groups have set up crowdfunding sites promising those who donate will have access to all of that state’s data once the goal has been reached. As of today, only the Kansas records have been sold and one with for Oregon at about 20 percent complete, according to information seen on the Dark Web forum by the researchers. Another group offered to buy all of the records and make them generally available to the embers of a particular hacker’s forum.
The malicious actors selling these databases include with their base price weekly voter registration updates for the buyer that, they claim from contacts within the state governments. This indicated the threat actors either had persistent access to the database electronically or was obtaining the information from a human source.
“Threat actors frequently recruit and fool insiders into helping them to pull off data theft and abuse schemes. This research seems to indicate that insiders either knowingly or unwittingly helped the nefarious party to obtain voter information,” Dtex CEO Christy Wyatt told SC Media.
“Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” the report stated.
The variable prices for each state, $150 to $12,500, could be related to the number of voter records per database listing or perhaps reflects the confidence the seller has that the data is accurate.
Some voting records are already of public record, the researchers noted, and can include full name, address, email and party affiliation, but for the most part those who can obtain these lists are limited to groups such as political campaigns, journalists, or academic researchers.