Info on 1.8 million Chicago voters exposed on Amazon server – USA TODAY

A test voting card for a punch voting system.(Photo: Elizabeth Weise)

SAN FRANCISCO Names, addresses, dates of birth and other information about Chicagos 1.8 million registered voters was left exposed and publicly available online on an Amazon cloud-computingserver for an unknown period of time, the Chicago Board of Election Commissions said.

The database file was discovered August 11by asecurity researcher at Upguard, a company that evaluates cyber risk. The companyalerted election officials in Chicago on August 12 and thefile was taken down three hours later. The exposure was first made public on Thursday.

The database was overseen by Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software.

The voter data was a back-up file stored on Amazons AWS servers and included partial Social Security numbers, and in some cases, driver's license and state ID numbers, Election Systems & Software said in a statement.

Amazon's AWS cloud service provides online storage, but configuring the security settings for that service is up to the user and is not set by Amazon. The default for all of AWS' cloud storage is to be secure, so someone within ES&S would have had to choose to configure it as public.

The incident is an example of the potential problems raised by an increasingly networked and connected voting system whose security systems have not necessarily kept up especially at atime when Russia is known to be probing U.S. election systems.

It's also the latest example of sensitive data left exposed on cloud computing servers, vulnerabilities that cybersecurity firm Upguard has been identifying.Similar configuration issues on Amazon cloud servers have left exposed Verizon, Dow Jones andRepublican National Committee data.

More: Verizon, Dow Jones leaks a reminder: safeguard your cloud data

Every copy of data is a liability, and as it becomes easier, faster, and cheaper to transmit, store, and share data, these problems will get worse, said Ben Johnson, chief technical officer at California-based Obsidian Security, and a Chicago voter.

Electronic Systems & Softwareis in the process of reviewing allprocedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similarsituations from occurring,it said in a statement.

No ballot information or vote totals were included in the database files and the information was not connected to Chicago's voting or tabulation systems, ES&Ssaid.

We were deeply troubled to learn of this incident, and very relieved to have it contained quickly, said Chicago Election Board Chairwoman MariselHernandez. We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&Ss AWS server," she said.

The database was discovered by Upguard's director of strategyJon Hendren. The company routinely scans for open and misconfigured files online and on AWS, the biggest provider of the cloud computing services.

The database also included encrypted versions of passwords for ES&S employee accounts.The encryption was strong enough to keep out a casual hacker but by no means impenetrable, said Hendren.

It would take a nation state, but it could be done if you have sufficient computing power, he said. The worse-case scenario is that they could be completely infiltrated right now, he said.

If the passwords are weak, they could be cracked in hours or days. If they are credentials that ES&S employees use elsewhere (corporate VPN) without two-factor authentication, then the breach could be way more serious, said Tony Adams of a Secureworks, an Atlanta-based computer security firm.

The implications of the exposure are much broader thanChicagobecause Election Systems & Software is the largest vendor of voting systems in the United States, said Susan Greenhalgh, an election specialist with Verified Voting, a non-partisan election integrity non-profit.

If the breach in Chicago is an indicator of ES&S's security competence, it raises a lot of questions about their ability to keep both the voting systems they run and their own networks secure, she said.

Russia is known to have probed at least 38 state voter databases prior to the 2016 election, federal officials have said. Because of that, the fact that the Chicago data was available to anyone with an Internet accounteven if they had to poke around a bit to find it representsa risk, Obsidian Security's Johnson said.

"Its hard to say malicious actors have found the data, but it is likely some were already hunting for it. Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data," Johnson said.

Read or Share this story:

Read more:
Info on 1.8 million Chicago voters exposed on Amazon server - USA TODAY

Related Post

Comments are closed.