In a shocking discovery, cybersecurity researcher Jeremiah Fowler had recently uncovered a trove of over 4.6 million sensitive voter data and election documents that were left vulnerable and exposed online. The documents, which included voter records, ballot templates, and other election-related materials, were found in 13 unprotected databases managed by the Illinois-based technology contractor.
According to the researcher’s findings, the databases belonged to a company called Platinum Technology Resource, which provides election technology and services to counties across Illinois. By simply replacing the county name in the database URLs, the researcher was able to identify additional exposed databases, some of which were password-protected but still at risk of unauthorized access.
4.6 Million Illinois Voter Data Exposure Raises Concerns
The exposed databases contained a trove of sensitive personal information, including voter names, addresses, dates of birth, Social Security numbers, and driver’s license numbers. Fowler also discovered documents with candidate information, such as phone numbers, email addresses, and home addresses, as well as petitions with voter signatures.
While the researcher found no immediate signs of wrongdoing, the potential risks posed by this data exposure are significant. Malicious actors could use the information for voter intimidation, disinformation campaigns, or even identity theft and fraud.
“Having PII of voters would potentially allow malicious actors to send them misleading information (about voting dates, locations, or requirements) based on their party affiliation,” the researcher explained. He added, “Another possible risk is voter intimidation, which includes using past voter history to threaten or harass voters.”
According to the contractor’s website, the company had served election related services to the region for decades:
“Platinum Technology Resource has been providing election technology and services to counties throughout the State of Illinois for over thirty-five (35) years. Through voter registration, election-day support, ballot management, tabulation, and election management software, we have incorporated lessons learned into our product PlatinumVR”.
Need for Enhanced Data Protection Measures
The exposure of the huge volume of sensitive election data underscores the importance of robust cybersecurity measures to protect the integrity of the electoral process. Since 2017, the Department of Homeland Security has classified election infrastructure as critical, recognizing the devastating impact that an attack on these systems could have.
“It is important to maintain public trust in the electoral process in the United States and democracies around the world,” the researcher said. “This trust is especially true in the wake of the 2020 election, when the integrity of the process was called into question,” he added.
To address this issue, the researcher recommends that organizations managing sensitive election data implement a combination of access controls and encryption to secure their databases. This includes using unique, time-limited access tokens to grant authorized users the ability to retrieve documents, rather than relying solely on password protection.
“Voters and election officials alike need access to documents for tracking and validation purposes, and those documents must be stored somewhere,” the researcher said. It is important that these storage areas are fully protected at the database level and not just when using a front-facing password-protected dashboard that still exposes the document itself to anyone who knows the URL address,” the researcher expressed.
As the 2024 election season approaches, the need to safeguard the electoral process of the United States has never been more urgent. The exposure of this vast trove of voter and election data serves as a stark reminder of the critical importance of cybersecurity in preserving the integrity of democratic institutions.
