State authorities and the Federal Bureau of Investigation were alerted this week to a major data leak exposing the names, addresses, dates of birth, partial Social Security numbers, and party affiliations of over a million Chicago residents. The company that services the electronic systems for voting, Election Systems & Software (ES & S) confirmed the leakage of information from the server.
Chicago election officials say they are investigating a security breach involving data from city voters and a contractor for the election board. The voter data was then downloaded by cyber risk analyst Chris Vickery who determined Election Systems & Software (ES&S) controlled the data.
The firm is also now reviewing all procedures and protocols, including those of its vendors, to make sure that its systems and data are secured and prevent any similar incidents in the future.
"We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S's AWS server", said Chicago Election Board chairwoman Marisel Hernandez in a statement.
There was no any voting information regarding someone's actual vote could be leaked but no one except the staff of UpGuard noticed the leak. Back in June, Gizmodo reported how the company discovered a huge unsecured database of nearly 200 million United States voters. The encryption was strong enough to keep out a casual hacker but by no means impenetrable, said Henden. "The worse case scenario is that they could be completely infiltrated right now", he said.
Strangely, only Chicago's data was exposed by a misconfiguration. While ES&S's prompt remediation of the breach is welcome news, the breadth of the exposure, affecting virtually every registered Chicago voter, is a stark reminder of how endemic cyber risk is to any process with a digital surface - including, in recent years, the processes of democracy.
The company provides voting machines and services in at least 42 states and describes itself as the "world's largest elections-only company".
Chicago Election Board spokesman Jim Allen said a well-known security expert who scours the Internet found names and other data from almost two million Chicago voters and called the authorities. Still, Chicago officials are pretty pissed off. "Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data", Johnson said.