September 15, 2017
While Equifax is receiving hell for leaking personal info of over 140 million people, another leak has been found within the government backyard itself. A cache of voter records on over a half-million Americans has been dumped online.
The cache contains details about voters, including names, addresses, and dates of birth, their ethnic identity, whether an individual is married, and the individual's voting preferences. The records of 593,328 individual sets have been made public. According to the security researchers at the Kromtech Security Research Center, who found the database online, the records appear to contain every registered voter in the state of Alaska.
The records, apparently, were stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser until Monday when the data was secured and subsequently pulled offline.
“In this case CouchDB was misconfigured in a way when there is no password/login required to access the data (as well as some others non-SQL databases e.g. MongoDB). In simple words - administrators often skip or disable security settings in order to ease access to the database internally or remotely. By default, database is secured. Moreover, Couch also has web-interface which allows viewing and editing the information even in browser, without extra special software,” said Bob Diachenko, chief security communications officer at Kromtech Security Center.
Kromtech has been credited to discovering and reporting several US voter databases online, with a total of 18 million voters, as well as the state of Louisiana's entire database of 2.9 million voters. Its VP of strategic Alliance, Alex Kernishniuk said that this was yet another wakeup call and that the aging electoral systems had to be replaced.
“There seems to be no end in sight for improperly secured data making its way onto the web and with little or no accountability for proper storage and security measures it is up to regulators to decide the best way to manage an aging electoral system that seems to be struggling to keep up with the digital age,” he said. “This is yet another wakeup call for companies, governments, and political organizations to audit their networks, servers and storage devices and ensure they take the proper security precautions.”