Contractor Exposes Personal Information Of 1.8 Million Chicago Voters On AWS

from the oops dept

At some point, it seems clear that if Chris Vickery comes a-callin', you've screwed up when it comes to keeping the private information of customers/voters secure. Vickery works for Upguard, a cyber-security consulting firm that regularly seeks out insecure sites and works with their owners to secure them. Vickery's fingerprints have been on discoveries such as Verizon's exposure of the personal information of 6 million of its customers and a firm contracted by the GOP exposing the personal data of roughly every American voter everywhere.

And now Vickery and Upguard have found that a contractor managing the city of Chicago's voter rolls appears to have exposed more personal information on an AWS server.

The acknowledgment came days after a data security researcher alerted officials to the existence of the unsecured files. The researcher found the files while conducting a search of items uploaded to Amazon Web Services, a cloud system that allows users to rent storage space and share files with certain people or the general public. The files had been uploaded by Election Systems & Software, a contractor that helps maintain Chicago's electronic poll books.

Election Systems said in a statement that the files "did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems." The company said it had "promptly secured" the files on Saturday evening and had launched "a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server."

So, a couple of things to note here. First, while it's true no voting information was exposed, a good deal of personal information certainly was. Names, addresses, last four digits of social security numbers; you know, all of the things one would need to wreak havoc on a person using their identifying information. Second, it appears that "promptly securing" the files mostly had to do with actually having a password needed to access them. There was no hacking required for Vickery to get to these files, because there was no password protecting them. Great.

Now, where I will give ES&S credit is that they are working with Upguard, rather than trying to vilify it, as we've seen done to so many other security researchers. That's a good thing. Still, Chicago officials are pretty pissed off.

"We were deeply troubled to learn of this incident, and very relieved to have it contained quickly," Chicago Election Board Chairwoman Marisel A. Hernandez said in a statement. "We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S' AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again."

Allen added that the board is considering how to notify and potentially offer remedies to those whose information was exposed.

"The expense for that is going to be borne by ES&S," Allen said. "This was a violation of the contract terms that explicitly lay out the requirement to safeguard the voters' data."

It's a wonder to this writer that the constant calls for things like e-voting machines continue when those in charge of securing voter data can't even do that right.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aws, chicago, chris vickery, cybersecurity
Companies: upguard


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 18 Aug 2017 @ 12:15pm

    So, is there any American besides a few hermits who hasn't had their data exposed in anyway by people that sayd "trust us" first?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2017 @ 1:52pm

      Re:

      Probably not.
      Are these inept folk fired, demoted, or have an entry in their performance appraisal noting their incompetence?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2017 @ 2:49pm

      Re:

      Sure: Those who never vote. See? There is a good reason not to vote after all.

      link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 18 Aug 2017 @ 1:58pm

    Typo alert

    First, while it's true nt voting information was exposed

    I do nt think that's what you meant.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2017 @ 2:03pm

    "The expense for that is going to be borne by ES&S," Allen said. "This was a violation of the contract terms that explicitly lay out the requirement to safeguard the voters' data."

    What?! Government isn't going to pay for this mistake? And the actual party that messed up, is going to foot the bill?

    link to this | view in chronology ]

  • icon
    afn29129 (profile), 18 Aug 2017 @ 2:04pm

    You really have no privacy.

    Really the only info not readily available in the leak was the DL numbers and Last-4-SSN. Everything else is sold on CD-ROM for the whole state of IL for just $500.00 .. or $100.00 for Cook County only. There's also a ton other other online sources, for free or small fee, where such info is available.

    link to this | view in chronology ]

  • icon
    Vidiot (profile), 18 Aug 2017 @ 3:07pm

    Hot news for the "Election Integrity Commission"... have your credit card ready -- there's someone on the Dark Web looking to sell you all that stuff the states refused to surrender...

    link to this | view in chronology ]

  • identicon
    Jeff R, 18 Aug 2017 @ 5:30pm

    How many of them were dead?

    link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 18 Aug 2017 @ 5:50pm

    It's a wonder to this commenter that organizations still bork the simplest security measures and have these poorly secured systems connected to the internet.

    OK i lie, it isn't a wonder to me at all. The only thing i find mildly astonishing is that these organizations, or those who hire them, are surprised when it is brought to their attention. Although, that surprise may be feigned as well.

    link to this | view in chronology ]

    • icon
      Bergman (profile), 18 Aug 2017 @ 6:58pm

      Re:

      Doesn't surprise me at all. Far too many people, especially in positions of authority, look to Hollywood movies for their education on how computers work.

      The Holly wood approach to defeating hackers:

      Step 1: Connect vital systems to the internet because reasons.

      Step 2: Get hacked, causing immense, irrevocable harm.

      Step 3: Dashing action heroes leads team of amusingly dysfunctional 'computer security' experts in daring last minute fight to protect data. Gratuitous car chase scenes, SWAT raids and pointing of gun at people armed only with laptops ensues.

      Step 4: Good guys win and hackers never try again despite no one ever patching the security flaw.


      How a real computer security professional defeats hackers:

      Step 1: Never connect stuff like that to the internet in the first place.

      link to this | view in chronology ]

    • icon
      That One Guy (profile), 18 Aug 2017 @ 7:55pm

      Re:

      The only surprising part of this story, and the fact that it is surprising is all sorts of sad, is that the company didn't lash out against the ones that informed them of the problem, and is in fact working with them.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2017 @ 6:55pm

    Cool story, bore.

    But at least it's late.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2017 @ 7:37pm

    Allen added that the board is considering how to notify and potentially offer remedies to those whose information was exposed.

    Funny, I didn't know it was so easy to change the last 4 digits of an SSN and relocate an entire town to new addresses. :)

    link to this | view in chronology ]

  • icon
    USARetired (profile), 18 Aug 2017 @ 11:10pm

    Again, raise your hand if you trust 'the government' and 'politicians' to keep your personal data out of their "donor's hands"? This was probably an intentional release by 'the government' using IT as a scapegoat!

    link to this | view in chronology ]

  • icon
    tom (profile), 19 Aug 2017 @ 9:37am

    How else are folks in Chicago supposed to vote early and often if they don't have a list of names to use?

    What TFA didn't mention was how much of that info was already public knowledge. In most states, voter information like name, party affiliation, address, recent voting history is publicly releasable and often made available to anyone who asks. Guessing that drivers license number shouldn't have been in the file but the rules vary from state to state.

    link to this | view in chronology ]

  • identicon
    tin-foil-hat, 19 Aug 2017 @ 10:41am

    Corporatioms are people and money is speech

    Small donors are not people and will be doxed for having the audacity to speak http://docquery.fec.gov/cgi-bin/forms/C00431445/807720/sa/18/23

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Aug 2017 @ 7:07am

    There was no hacking required for Vickery to get to these files, because there was no password protecting them.

    Didn't help weev.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.