In-brief: A security researcher discovered a database containing information on 190 million voters. But whose data is it?
The web site Databreaches.net is reporting that a security researcher has discovered a misconfigured database containing information on 190 million registered voters that could be accessed by anyone with knowledge of where to look. The mystery: whose data is it?
The incident is just the latest to underscore the Wild West atmosphere that prevails among private firms and, increasingly, political campaigns and PACs (political action committees) in the absence of strong federal data privacy legislation. Among the outstanding questions in the latest incident: who is responsible for the massive trove of exposed voter data, which is large enough to encompass every registered voter in the U.S., and whether any laws are being violated in exposing the voter data.
News of the breach came after independent researcher Chris Vickery notified the website Databreaches.net that he had discovered a massive trove of voter data encompassing records for 191,337,174 voters. Just for comparison: that is more than all registered voters in the U.S., which the U.S. Census Bureau estimates at 142 million individuals.
The data appears to be exposed as the result of a misconfigured database server that makes it accessible to casual browsers. It includes voters’ names, mailing and e-mail addresses, phone numbers and whether or not they participated in recent elections – a nice collection of data that could be used to locate an individual. However, protected information such as Social Security Numbers or credit card numbers are not reported to be part of the.
That kind of information is readily compiled by politicians and political campaigns across the country and shared between campaigns and parties. For the most part, voter registration is considered public and isn’t protected either by federal law or – in most cases – by state laws. Some states, such as California, do protect some voter information (such as for public safety officers) from public disclosure. Most states restrict the use of voter registration information for commercial purposes.
The question troubling Vickery and journalist Steve Ragan over at the Salted Hash blog is ‘whose data is this’?
That turns out to be a difficult question to answer. The two initially focused on NationBuilder, a Los Angeles based data broker that was co-founded by Sean Parker of Napster (and Facebook) fame. Their interest in NationBuilder was prompted by clues within the exposed database that seem to tie back to that firm.
NationBuilder has disavowed any knowledge of or link to the exposed database. The IP address on which the server hosting the data is located doesn’t belong to NationBuilder or any of the company’s hosted services customers, the company has said.
Does that mean its not NationBuilder’s data? Not at all. As Ragan points out: the company’s database of national voters may well have been sold to a third party who is responsible for leaving it exposed on the Internet. NationBuilder may or may not know who that responsible party is. In any case: the company is under no obligation to say.
The incident, coming on the heels of the dust-up between the presidential campaign of Bernie Sanders, the Democratic National Committee and the firm NGP VAN underscores the degree to which massive troves of voter data are now the most powerful and oft-used tools in campaigns toolbox. With a presidential election in the offing, and State, House and local races down ticket, the list of campaigns anxious to buy, then slice and dice voter information is long. Alas: the talent within campaigns to protect that data is hard to come by.
Who pays: clearly voters do. Much voter data can be obtained for a small fee from local city- and town halls nation-wide. But obtaining small slices of voter information on localities is far different from obtaining a wealth of data on everyone, all at once. And opportunities for misuse and abuse are endless.
But with no federal data privacy protection and strong state-level data privacy laws limited to a handful of states, its likely that the latest breach will become just another (fat) data point on an already crowded timeline of data leaks, data thefts and other mishaps.
Security Ledger will follow this story as it evolves. Stay tuned and remember to check back for updates to this story.