A security researcher discovered an unencrypted database containing 154 million records of U.S. voters that included addresses, phone numbers, political party, income range, ethnicity, age, and voting history. Some of the records provided even more sensitive details such as voter's Facebook profiles, email addresses, gun ownership, and views on abortion and gay marriage.
The CouchDB database records, discovered by MacKeeper security researcher Chris Vickery, were stored on a Google account that required no username, password, or authentication. Vickery does not know who is responsible for the insecure database, although he stated in a MacKeeper blog post that the files belonged to an unnamed client of L2, a data broker.
L2 worked with Vickery to ensure that the information was taken down from the unsecured Google cloud service. L2's CEO, Bruce Willsie wrote in an email to Vickery that the unsecured file contained “only a very small number of our standard fields” and “was an old copy” from a year ago.
The discovery of the open database raises questions about the extent of collection practices engaged in by of data brokers and the responsibility of securing sensitive information after the data has been sold to clients.
“‘This was an old copy' is a totally unacceptable response from the CEO of the company,” wrote Marcus Carey, CTO and founder of vThreat, in an email to SCMagazine.com. “This kind of information isn't perishable because it isn't going to change anytime soon.”
The information, noted Carey, can be used not only in identity theft and fraud, but also for targeted cyber attacks.
According to log files viewed by Vickery, a Serbian IP was interacting with the database in April, raising the specter of data collection about individuals by foreign groups, and potentially intelligence agencies.
The discovery is especially disconcerting in light of the recent hacking of the Democratic National Committee (DNC) system and subsequent reports that indicate the hacker who claimed sole responsibility for that intrusion appears to be linked to Cozy Bear and Fancy Bear, APTs that have been closely associated with Russian intelligence.
“Nation states would love this data, as would political rivals,” wrote Tom Kellermann, CEO of Strategic Cyber Ventures, in an email to SCMagazine.com. “The data brokers have a history of horrible cybersecurity and their negligence can undermine the integrity of elections.”
This is not the first instance of U.S. voter data being left exposed, although it is by far the largest data set of U.S. voters to have been discovered. In January, Vickery discovered 56 million records that appeared to have originated from a U.S.-based right-wing Christian group.
Information security professionals warn that greater security measures must be taken to protect such information from falling into the hands of criminals. Adam Levin, chairman and founder of IDT911, and author of Swiped, noted that cybercriminals can use such data to coordinate sophisticated identity theft schemes, in an email to SCMagazine.com. The information available “is more than enough for hackers to access current financial accounts, set up fraudulent accounts, as well as launch effective phishing attacks against millions of unsuspecting citizens to gather additional information that can be used to commit tax fraud,” he wrote.
Other nations have also experienced similarly staggering leaking data. Vickery also discovered 93.4 million Mexican voter registration records and as many as 55 million voters in the Philippines, both of which were announced in April.