Election Equipment Vendor Exposes Voter Data Online
[EDITORS NOTE: This manufacturer is the same firm that makes the voting equipment used in Lee County, Florida]
Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an unsecured cloud “data bucket” configured for public access.
The data was a backup stored in the cloud by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Ne.
Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from the Amazon Web Services system.
Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.
ES&S confirmed in a statement that the copy of the backup file, a .bak or Microsoft SQL backup file, contained 1.8 million names, addresses, dates of birth, partial Social Security numbers and in some cases, driver’s license and state identification numbers. Jon Hendren, director of strategy at UpGuard and the person who found the exposed data, said that the databases also included fields indicating whether a voter was active. About 1.5 million of the records belonged to active voters.
There were two folders in the AWS bucket, Hendren said, containing about a dozen backup files, about 12GB in all. Also in the folder was some information on ES&S security procedures that included the hashed email passwords of ES&S employees. While the personal information of voters exposes them to fraud via phishing and other scams, the employee data poses a serious threat in another direction.
“There’s no telling how far a nefarious actor could get if they’re willing to use those credentials,” said Chris Vickery, UpGuard director of cyber risk research who has found other similar leaks via Amazon buckets. “There’s no way to tell if they would be able to infiltrate ES&S networks or systems, but the potential is there.”
ES&S sells a number of different electronic voting systems and vote tabulators. The City of Chicago is a customer of theirs, and it’s unknown what type of work was being done with the data or why it was being stored in a publicly accessible bucket.
“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement. “These backup files had no impact on any voters’ registration records and had no impact on the results of any election.”
The City of Chicago Election Board said it was notified of the breach by the FBI last Saturday afternoon at 5:37. By 9:44 p.m., the board said ES&S had taken the server offline. The board said in a statement that no systems, websites or servers managed by the board were affected and that none of its sites or networks reside on AWS.
“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel A. Hernandez. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”
Vickery said it’s unknown whether anyone else accessed the data, nor whether ES&S had logging configured and enabled.
“Given the bucket name was easy to guess (“Chicago DB”) and had been up many months before I noticed it, I would say the chances of me being the first one are slim,” Hendren said.
Vickery added that ES&S websites do not have SSL enabled. A web-scanning and ranking service called CSTAR run by UpGuard determined the ES&S also falls short in that it does not have HSTS turned on, nor does it use HttpOnly cookies, secure cookies, DMARC or DNSSEC. It also displays the server information header.