46 Million Voter and Election Documents Exposed Online by Technology Contractor
p
vpnMentor was established in 2014 to review VPN services and cover privacyrelated stories Today our team of hundreds of cybersecurity researchers writers and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC which also owns the following products ExpressVPN CyberGhost and Private Internet Access which may be ranked and reviewed on this website The reviews published on vpnMentor are believed to be accurate as of the date of each article and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer taking into account the technical capabilities and qualities of the product together with its commercial value for users The rankings and reviews we publish may also take into consideration the common ownership mentioned above and affiliate commissions we earn for purchases through links on our website We do not review all VPN providers and information is believed to be accurate as of the date of each article ppCybersecurity Researcher Jeremiah Fowler discovered and reported to VpnMentor about the discovery of 13 nonpasswordprotected databases that contained 46 million documents including voter records ballots multiple lists and electionrelated recordsppppI recently discovered a nonpasswordprotected database that contained a collection of different documents including voting records ballot templates voter registrations and numerous lists All of the physical addresses appeared to be from a single county in the state of Illinois Upon further analysis in my attempt to identify the owner of the dataset I suspected there could be more counties inadvertently exposing voter and election records So I took the known database name format and simply replaced the county name This identified a total of 13 open and publicly accessible databases and an additional 15 databases that exist but are not publicly accessibleppAccording to multiple news articles and freedom of information act FOIA documents posted online these counties have contracts with a company called Platinum Technology Resource This company offers a variety of services ranging from ballot printing to election management and voter registration software The counties indicated in the exposed databases also offer a voter information portal that redirects to a domain indicating Platinum vrms I can only speculate this stands for voter record management system To verify this I made phone calls to several county clerks offices and was informed that only one vendor Platinum Technology Resource manages their voter and election data and it is known as Platinum Elections ServicesppOnce I was reasonably sure who managed the database I sent a responsible disclosure notice to Platinum Technology Resource However in a follow up review the next day I noticed the database was still publicly accessible In an attempt to identify other contact details I found several additional FOIA documents indicating an Illinoisbased technology company called Magenium is responsible for the technical support of Platinum Elections Services During a phone call to Magenium I was told that they are a partner of Platinum Technology Resource and that they would look into my findings A day after sending Magenium a responsible disclosure notice the databases were restricted In a phone call a representative from Magenium confirmed their closure of the databases and that Platinum Election Services was aware of the situation It is not known how long the documents were exposed or if anyone else gained access Only an internal forensic audit could identify additional access or suspicious activityppAccording to their website Platinum Technology Resource has been providing election technology and services to counties throughout the State of Illinois for over thirtyfive 35 years Through voter registration electionday support ballot management tabulation and election management software we have incorporated lessons learned into our product PlatinumVRppThe exposed databases containedcsv documents with lists of available or active voters absentees early mailin voting records and duplicate voters Other documents marked as voter records contained far more potentially sensitive personal information including full name physical address some email addresses date of birth SSN full and partial or drivers license number and historical voting records The database also contained copies of voter registration applications death certificates and records of change of address jurisdiction or state There were also candidate documents such as statements of candidacy detailing personal phone number email address and home address These candidate documents also included petitions with voter signatures addresses candidate loyalty oath economic interest and additional supporting documentation There were also documents marked as official ballot templates for primaries and general electionsppThere are few things in the US as divisive as politics but everyone can probably agree that data protection and the security of election systems is a necessity Since 2017 the Department of Homeland Security classifies election infrastructure as critical acknowledging that the incapacitation or destruction of election systems would have a devastating effect on the country According to information published by CISA this includes voter registration databases and associated IT systems used to manage elections such as the counting auditing and displaying of election results and the postelection reporting to certify and validate resultsppIt is important to maintain public trust in the electoral process in the United States and democracies around the world This trust is especially true in the wake of the 2020 election when the integrity of the process was called into question As a nonpolitical person I believe that no matter what your political beliefs are all citizens should feel that their votes matter Any assertions that elections are not fair could potentially harm civic engagement and the overall trust in the democratic processppIt is important to maintain public trust in the electoral process in the United States and democracies around the world This trust is especially true in the wake of the 2020 election when the integrity of the process was called into question As a nonpolitical person I believe that no matter what your political beliefs are all citizens should feel that their votes matter Any assertions that elections are not fair could potentially harm civic engagement and the overall trust in the democratic processppMany reports on social media claim that the names and voter records of deceased individuals were allegedly used to cast votes in past elections changing the outcome in favor of one candidate or another In a limited sample of documents I reviewed I crossreferenced several exposed death records with active voter lists and I am happy to report none of those names appeared or were included as active voters Based on the documents I saw there was nothing to indicate anything suspicious or that the elections in those jurisdictions were not free and fair Although there were no signs of any wrongdoing it is crucial to protect elections and voter data from cyber attacks which may include tampering with documents or using exposed voter information for fraud or misinformation Concerns about election tampering through a cyber attack could undermine confidence in the accuracy and fairness of election outcomes and this is why the US government has deemed election data as critical infrastructureppThe potential risk of a coordinated disinformation campaign using voter lists and voter registrations is a serious concern from both outside actors such as Russia or China and domestic activists looking to sway political opinions According to a study conducted by the Pew Research Center in 2020 75 of American voters believed there would be outside interference in the presidential election Having PII of voters would potentially allow malicious actors to send them misleading information about voting dates locations or requirements based on their party affiliation Another possible risk is voter intimidation which includes using past voter history to threaten or harass votersppAnother hypothetical concern would be if a criminal used a voters information and voter ID number to cast multiple ballots by mail triggering potential legal problems for the real voter and invalidating their real vote These tactics could undermine the democratic process in rural areas where a small number of votes can influence the outcome by reducing voter turnout or manipulating local or state election results in favor of a particular candidate or agenda I am not saying there is an imminent threat of voter fraud or intimidation based on this data exposure I am only presenting a hypothetical realworld risk scenarioppExposed PII combined with highly sensitive information such as Social Security Numbers and drivers license numbers poses significant risks beyond the political sphere Criminals could potentially use information intended for voter registration to commit identity theft and various forms of fraud Many banks credit card companies and loan providers require little more than a matching SSN and date of birth Additionally the same information could be used to file fraudulent tax returns According to the IRS in 2023 over 1 million tax returns were flagged for additional review for potential identity fraud and totaled more than 6 billion in refunds Identity theft can have severe financial consequences and leave victims with damaged credit or other legal and financial obligations that could take years to overcomeppAdditionally PII exposure can also possibly be used for targeted social engineering attacks on specific individuals particularly those with significant wealth Cyber criminals could also impersonate them in an attempt to gain access to additional personal or financial information I am not saying that these voters or candidates are at risk of identity theft impersonation or other forms of fraud I am only presenting a hypothetical risk to raise awareness and for citizens to stay vigilant to the realworld threats that can accompany any potential exposure of their PII Knowing the risks and identifying suspicious activity early can help mitigate the damage of any unauthorized or attempted use of an individuals identity or personal informationppI would advise any organization that manages and stores potentially sensitive documents in multiple databases to use unique formats and names that are not easy to guess In this case I was able to simply replace the county name to identify other databases The additional 15 passwordprotected databases still pose significant possible risks as they reveal the filepath of where potential voter or election documents may be stored Hypothetically cybercriminals could launch brute force attacks to attempt to gain unauthorized access or socially engineer individuals to provide credentials or other internal information These databases could also be targeted by denial of service attacks DDoS to disrupt access during elections and prevent the necessary sharing of information Voters and election officials alike need access to documents for tracking and validation purposes and those documents must be stored somewhere It is important that these storage areas are fully protected at the database level and not just when using a frontfacing passwordprotected dashboard that still exposes the document itself to anyone who knows the URL addressppTo secure documents stored in a cloud database that need to be delivered through a dashboard or application I would recommend using a combination of access controls and encryption The best way to protect these documents from being publicly exposed by the URL is to use an access token to generate a unique timelimited access token for authenticated users when they or the system requests the document The token ensures that only authorized users can access or view the document and limits the amount of time the file or document can be accessible This can help mitigate security issues related to direct URL access without proper authentication It should be noted that the databases I saw contained only documents and did not identify the inner workings of how the Platinum Technology Resource voter systems operate My recommendations are for general advice and educational purposes for any organization that collects stores or distributes potentially sensitive information or documents and are not specific to Platinum Technology Resource Platinum Elections Services Magenium or any of the associated entities or thirdparty contractorsppAs an ethical cyber security researcher I never download the data I find and only take a limited number of screenshots to validate and responsibly report my findings to the owner of the data I redact PII and any information that could be deemed as sensitive information I do not imply any wrongdoing by Platinum Technology Resource Platinum Elections Services their partners or thirdparty contractors nor do I claim the information contained in the exposed files or documents was ever at risk It is not known how long the documents were exposed or if anyone else gained access to the publicly accessible database I can confirm that from the time of my discovery and reporting until public access was restricted the duration was approximately 10 days Determining detailed access information would require an internal forensic audit As an ethical security researcher I publish my findings for educational purposes and to promote cyber security and advocate for data protection best practicesppJeremiah an experienced cybersecurity researcher at vpnMentor and cofounder of Security Discovery is renowned for uncovering some of the worlds most significant data breaches Together with the vpnMentor team he has been instrumental in securing the personal data of millions globallyppHis journey in cybersecurity sparked by his interest in a data breach at a former company transformed from a passion into a recognized expertise establishing him as a respected thought leader in the industryppPlease comment on how to improve this article Your feedback matterspp
pp
pp
Sorry links are not allowed in this field
pp
Name should contain at least 3 letterspp
The field content should not exceed 80 letterspp
Sorry links are not allowed in this field
pp
Please enter a valid email addressppppWe check all comments within 48 hours to ensure theyre real and not offensive Feel free to share this article in the meantimepp
This field must contain more than 20 characters pp
The field content should not exceed 1000 letters pp
Name should contain at least 3 letterspp
The field content should not exceed 80 letterspp
Sorry links are not allowed in this field
pp
Please enter a valid email addresspp
Please enter a valid email addressppp
vpnMentor was established in 2014 to review VPN services and cover privacyrelated stories Today our team of hundreds of cybersecurity researchers writers and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC which also owns the following products ExpressVPN CyberGhost and Private Internet Access which may be ranked and reviewed on this website The reviews published on vpnMentor are believed to be accurate as of the date of each article and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer taking into account the technical capabilities and qualities of the product together with its commercial value for users The rankings and reviews we publish may also take into consideration the common ownership mentioned above and affiliate commissions we earn for purchases through links on our website We do not review all VPN providers and information is believed to be accurate as of the date of each article ppCybersecurity Researcher Jeremiah Fowler discovered and reported to VpnMentor about the discovery of 13 nonpasswordprotected databases that contained 46 million documents including voter records ballots multiple lists and electionrelated recordsppppI recently discovered a nonpasswordprotected database that contained a collection of different documents including voting records ballot templates voter registrations and numerous lists All of the physical addresses appeared to be from a single county in the state of Illinois Upon further analysis in my attempt to identify the owner of the dataset I suspected there could be more counties inadvertently exposing voter and election records So I took the known database name format and simply replaced the county name This identified a total of 13 open and publicly accessible databases and an additional 15 databases that exist but are not publicly accessibleppAccording to multiple news articles and freedom of information act FOIA documents posted online these counties have contracts with a company called Platinum Technology Resource This company offers a variety of services ranging from ballot printing to election management and voter registration software The counties indicated in the exposed databases also offer a voter information portal that redirects to a domain indicating Platinum vrms I can only speculate this stands for voter record management system To verify this I made phone calls to several county clerks offices and was informed that only one vendor Platinum Technology Resource manages their voter and election data and it is known as Platinum Elections ServicesppOnce I was reasonably sure who managed the database I sent a responsible disclosure notice to Platinum Technology Resource However in a follow up review the next day I noticed the database was still publicly accessible In an attempt to identify other contact details I found several additional FOIA documents indicating an Illinoisbased technology company called Magenium is responsible for the technical support of Platinum Elections Services During a phone call to Magenium I was told that they are a partner of Platinum Technology Resource and that they would look into my findings A day after sending Magenium a responsible disclosure notice the databases were restricted In a phone call a representative from Magenium confirmed their closure of the databases and that Platinum Election Services was aware of the situation It is not known how long the documents were exposed or if anyone else gained access Only an internal forensic audit could identify additional access or suspicious activityppAccording to their website Platinum Technology Resource has been providing election technology and services to counties throughout the State of Illinois for over thirtyfive 35 years Through voter registration electionday support ballot management tabulation and election management software we have incorporated lessons learned into our product PlatinumVRppThe exposed databases containedcsv documents with lists of available or active voters absentees early mailin voting records and duplicate voters Other documents marked as voter records contained far more potentially sensitive personal information including full name physical address some email addresses date of birth SSN full and partial or drivers license number and historical voting records The database also contained copies of voter registration applications death certificates and records of change of address jurisdiction or state There were also candidate documents such as statements of candidacy detailing personal phone number email address and home address These candidate documents also included petitions with voter signatures addresses candidate loyalty oath economic interest and additional supporting documentation There were also documents marked as official ballot templates for primaries and general electionsppThere are few things in the US as divisive as politics but everyone can probably agree that data protection and the security of election systems is a necessity Since 2017 the Department of Homeland Security classifies election infrastructure as critical acknowledging that the incapacitation or destruction of election systems would have a devastating effect on the country According to information published by CISA this includes voter registration databases and associated IT systems used to manage elections such as the counting auditing and displaying of election results and the postelection reporting to certify and validate resultsppIt is important to maintain public trust in the electoral process in the United States and democracies around the world This trust is especially true in the wake of the 2020 election when the integrity of the process was called into question As a nonpolitical person I believe that no matter what your political beliefs are all citizens should feel that their votes matter Any assertions that elections are not fair could potentially harm civic engagement and the overall trust in the democratic processppIt is important to maintain public trust in the electoral process in the United States and democracies around the world This trust is especially true in the wake of the 2020 election when the integrity of the process was called into question As a nonpolitical person I believe that no matter what your political beliefs are all citizens should feel that their votes matter Any assertions that elections are not fair could potentially harm civic engagement and the overall trust in the democratic processppMany reports on social media claim that the names and voter records of deceased individuals were allegedly used to cast votes in past elections changing the outcome in favor of one candidate or another In a limited sample of documents I reviewed I crossreferenced several exposed death records with active voter lists and I am happy to report none of those names appeared or were included as active voters Based on the documents I saw there was nothing to indicate anything suspicious or that the elections in those jurisdictions were not free and fair Although there were no signs of any wrongdoing it is crucial to protect elections and voter data from cyber attacks which may include tampering with documents or using exposed voter information for fraud or misinformation Concerns about election tampering through a cyber attack could undermine confidence in the accuracy and fairness of election outcomes and this is why the US government has deemed election data as critical infrastructureppThe potential risk of a coordinated disinformation campaign using voter lists and voter registrations is a serious concern from both outside actors such as Russia or China and domestic activists looking to sway political opinions According to a study conducted by the Pew Research Center in 2020 75 of American voters believed there would be outside interference in the presidential election Having PII of voters would potentially allow malicious actors to send them misleading information about voting dates locations or requirements based on their party affiliation Another possible risk is voter intimidation which includes using past voter history to threaten or harass votersppAnother hypothetical concern would be if a criminal used a voters information and voter ID number to cast multiple ballots by mail triggering potential legal problems for the real voter and invalidating their real vote These tactics could undermine the democratic process in rural areas where a small number of votes can influence the outcome by reducing voter turnout or manipulating local or state election results in favor of a particular candidate or agenda I am not saying there is an imminent threat of voter fraud or intimidation based on this data exposure I am only presenting a hypothetical realworld risk scenarioppExposed PII combined with highly sensitive information such as Social Security Numbers and drivers license numbers poses significant risks beyond the political sphere Criminals could potentially use information intended for voter registration to commit identity theft and various forms of fraud Many banks credit card companies and loan providers require little more than a matching SSN and date of birth Additionally the same information could be used to file fraudulent tax returns According to the IRS in 2023 over 1 million tax returns were flagged for additional review for potential identity fraud and totaled more than 6 billion in refunds Identity theft can have severe financial consequences and leave victims with damaged credit or other legal and financial obligations that could take years to overcomeppAdditionally PII exposure can also possibly be used for targeted social engineering attacks on specific individuals particularly those with significant wealth Cyber criminals could also impersonate them in an attempt to gain access to additional personal or financial information I am not saying that these voters or candidates are at risk of identity theft impersonation or other forms of fraud I am only presenting a hypothetical risk to raise awareness and for citizens to stay vigilant to the realworld threats that can accompany any potential exposure of their PII Knowing the risks and identifying suspicious activity early can help mitigate the damage of any unauthorized or attempted use of an individuals identity or personal informationppI would advise any organization that manages and stores potentially sensitive documents in multiple databases to use unique formats and names that are not easy to guess In this case I was able to simply replace the county name to identify other databases The additional 15 passwordprotected databases still pose significant possible risks as they reveal the filepath of where potential voter or election documents may be stored Hypothetically cybercriminals could launch brute force attacks to attempt to gain unauthorized access or socially engineer individuals to provide credentials or other internal information These databases could also be targeted by denial of service attacks DDoS to disrupt access during elections and prevent the necessary sharing of information Voters and election officials alike need access to documents for tracking and validation purposes and those documents must be stored somewhere It is important that these storage areas are fully protected at the database level and not just when using a frontfacing passwordprotected dashboard that still exposes the document itself to anyone who knows the URL addressppTo secure documents stored in a cloud database that need to be delivered through a dashboard or application I would recommend using a combination of access controls and encryption The best way to protect these documents from being publicly exposed by the URL is to use an access token to generate a unique timelimited access token for authenticated users when they or the system requests the document The token ensures that only authorized users can access or view the document and limits the amount of time the file or document can be accessible This can help mitigate security issues related to direct URL access without proper authentication It should be noted that the databases I saw contained only documents and did not identify the inner workings of how the Platinum Technology Resource voter systems operate My recommendations are for general advice and educational purposes for any organization that collects stores or distributes potentially sensitive information or documents and are not specific to Platinum Technology Resource Platinum Elections Services Magenium or any of the associated entities or thirdparty contractorsppAs an ethical cyber security researcher I never download the data I find and only take a limited number of screenshots to validate and responsibly report my findings to the owner of the data I redact PII and any information that could be deemed as sensitive information I do not imply any wrongdoing by Platinum Technology Resource Platinum Elections Services their partners or thirdparty contractors nor do I claim the information contained in the exposed files or documents was ever at risk It is not known how long the documents were exposed or if anyone else gained access to the publicly accessible database I can confirm that from the time of my discovery and reporting until public access was restricted the duration was approximately 10 days Determining detailed access information would require an internal forensic audit As an ethical security researcher I publish my findings for educational purposes and to promote cyber security and advocate for data protection best practicesppJeremiah an experienced cybersecurity researcher at vpnMentor and cofounder of Security Discovery is renowned for uncovering some of the worlds most significant data breaches Together with the vpnMentor team he has been instrumental in securing the personal data of millions globallyppHis journey in cybersecurity sparked by his interest in a data breach at a former company transformed from a passion into a recognized expertise establishing him as a respected thought leader in the industryppPlease comment on how to improve this article Your feedback matterspp
pp
pp
Sorry links are not allowed in this field
pp
Name should contain at least 3 letterspp
The field content should not exceed 80 letterspp
Sorry links are not allowed in this field
pp
Please enter a valid email addressppppWe check all comments within 48 hours to ensure theyre real and not offensive Feel free to share this article in the meantimepp
This field must contain more than 20 characters pp
The field content should not exceed 1000 letters pp
Name should contain at least 3 letterspp
The field content should not exceed 80 letterspp
Sorry links are not allowed in this field
pp
Please enter a valid email addresspp
Please enter a valid email addressppp
