In what is likely a display of incompetence rather than malice, a database of 191 million US voters has been discovered to be exposed to the public, and can be accessed by anyone if they know how to find it. It is believed that the database is supposed to be private, but is only publicly accessible because it is configured improperly. The database included names, addresses, birth dates, phone numbers and email addresses of voters in all 50 states and D.C.
The database was discovered by researcher Chris Vickery, who was searching for publicly exposed data online in an effort to raise awareness of data leaks. Vickery was unsure if anyone else besides him had discovered the database. He is unsure who is the owner of the database, but is working with federal authorities to find the owner. Vickery did not state which federal agency he is working with. The U.S. Federal Elections Commission, which is responsible for regulating campaign financing, stated they do not have jurisdiction over protecting voter information. No other federal agency has made any public statement on this matter.
This matter was originally reported on CSO Online and Databreaches.net, which assisted Vickery in trying to find the database’s owner. CSO Online believed that some of the information in the database may have come from the campaign software provider NationBuilder, because the database contained codes similar to those used by that company. NationBuilder CEO Jim Gilliam says the database was not created by his company, but some of the data may have originated from NationBuilder. The company freely supplies voter data to political campaigns.
The laws relating to the protection of voter data vary wildly from state to state. Some have no restrictions at all on making the data publicly available, but many do have regulations about who is allowed to access the data and for what purpose. California, for example, requires that the data be used for political purposes only and not be made available to anyone outside of the United States. Whoever owns the database might be in violation of several state laws because of this breach.
The article on DataBreaches has been updated to state that the database is no longer exposed to the public.
Is this data breach a cause for alarm, or no big deal? Leave your comments below.