Databases containing confidential voter information from several Illinois counties were openly available on the Internet, revealing 4.6 million records that included driver’s license numbers, as well as full and partial Social Security numbers and documents such as death certificates. Longtime security researcher Jeremiah Fowler He stumbled upon one of the databases that appeared to contain information from DeKalb County, Illinois, and subsequently discovered 12 other exposed databases. None were password-protected or required any form of authentication to access.
As cyberattacks—both criminal and state-run—grow ever more sophisticated and aggressive, threats to critical infrastructure emerge. But often, the biggest vulnerabilities come not from esoteric software issues, but from glaring errors that leave the safe door open and the crown jewels exposed. After years of efforts to bolster election security across the United States, state and local awareness of cybersecurity issues has improved significantly. But as this year’s U.S. election rapidly approaches, the findings reflect the reality that there are always more oversights to spot.
“I’ve found voter databases in the past, so I know if it’s a low-level marketing outreach database that someone has purchased,” Fowler tells WIRED. “But here I saw voter applications — there were scans of documents and then screenshots of online applications. I saw lists of active voters, absentee voters with email addresses — some of them military email addresses. And when I saw Social Security numbers and driver’s license numbers and death certificates, I thought, ‘Okay, those shouldn’t be there. ’”
Through public records, Fowler determined that all of the counties appear to have contracts with an Illinois-based election management service called Platinum Technology Resource, which provides voter registration software and other digital tools along with services like ballot printing. Many Illinois counties use Platinum Technology Resource as an election services provider, including DeKalb, which confirmed its relationship with Platinum to WIRED.
Fowler informed Platinum about the unprotected databases on July 18, but says he received no response and the databases remained exposed. As Fowler dug deeper into public records, he realized that Platinum works with Illinois-based managed services provider Magenium, so he sent a statement to that company on July 19 as well. Again, he says he received no response, but shortly after the databases were protected, it removed them from public view. Platinum and Magenium did not respond to WIRED’s multiple requests for comment.
Platinum began distributing a notification, viewed by WIRED, to affected counties on Friday. “We have evidence of an allegation that the file storage containing voter registration documents may have been scanned,” Platinum wrote, adding that the exposed databases do not indicate a deeper compromise of its systems. “A thorough investigation was executed. The findings support our continued belief that there is no evidence that voter registration forms were leaked or stolen. … We are taking this opportunity to implement new and additional safeguards around voter registration documents.”
From Illinois Data Breach Notification Act requires notification to the state within 45 days of an incident. A standard version of a Champaign County contract for technology services publicly published Through a Freedom of Information Act request, a contractor is required to notify the affected county within 15 minutes of identifying a data breach.
Fowler notes that while the exposed information could make affected individuals more susceptible to identity theft and other scams, it could also be misused to submit multiple applications for mail-in ballots or engage in other suspicious activity that could call into question a voter’s legitimate vote and take time to reconcile. But he adds that the death certificates and other documentation contained in the file reflect the work that election officials across the country do to manage voter rolls and ensure that everyone’s vote is accurately counted.
“There has certainly been progress in basic data security, and I don’t see things like this very often anymore,” Fowler says. “But I used the open, public Internet and I didn’t use any specialized tools to find this. And at the end of the day, this is critical infrastructure that was exposed.”
