As investigators around the nation begin to probe the exposure online of more than 191 million voter records, including millions from California, the focus is not so much on what dangers the leak poses as curiosity about whose data this is
Researcher Chris Vickery discovered the database of nearly every registered voter in the country, exposed because of a misconfiguration, on December 20 and DataBreaches.net published his story Monday. The data included names, addresses, phone numbers and e-mail addresses, but not Social Security numbers, driver’s license numbers, passwords and other more sensitive information.
The records can also contain date of birth, gender, ethnicity, a state voter ID and notice of being on Do Not Call or permanent absentee voter lists.
DataBreaches tried to track down the database owner, but didn’t get far. Some of the data fields looked proprietary, and pointed to Nation Builder. So they contacted the company that makes “Software for Leaders” who are devoted to scattering the digital DNA of all humanity across the planet, to see if the database was theirs or one of their client’s.
There was no response for 24 hours, so they contacted the FBI and Harris’ office to see if anyone was interested in shutting the database down before its address went viral. While waiting to find out what government would do, DataBreaches heard from Nation Builder.
The database did not belong to them but they could not speak for clients. It could be a leaked copy of the client’s database, a hacked copy stashed away, or an employee’s personal copy.
NationBuilder founder and chief executive Jim Gilliam said in a statement it didn’t really make a difference. “From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”
That is reassuring. Still, it can be unnerving to find Vickery’s post on Reddit announcing his discovery: “I’m Chris Vickery. I know your phone number, address, date of birth, and more (if you're registered to vote in the US).” Vickery said the database appeared to be offline late Monday night.
The majority of states do not restrict voter registration information, according to DataBreaches. California does. State law makes voting data confidential, but privacy is a relative term. It can’t be sold for marketing purposes, however, the Sacramento Bee says it can be used for political, electoral, academic, journalistic or governmental endeavors.
Marketing firms that act as consultants to political campaigns can obtain voter data and combine it with a multitude of other sources of personal information (gun ownership, religious affiliation, financial status, etc.) to provide expensive guides to electioneering. The presidential campaign staff of Senator Bernie Sanders (D-Vermont) recently got in trouble for poking around in the Hillary Clinton’s database.
The day after the news broke, California Secretary of State Alex Padilla said the data didn’t come from his office and he was cooperating with state Attorney General Kamala Harris in what may or may not be an investigation. “Harris’ office would not comment on a potential or ongoing investigation, to protect the integrity of any probe,” a spokeswoman told the Bee.
The anonymous blogger who produces DataBreaches detected a certain lack of enthusiasm. “So while I’m pleased to see the Secretary of State say they’re working to verify claims and will assist the AG’s office in any way, I suspect California voters would like to know that their government is definitely investigating and is prepared to take action to protect their privacy.”
–Ken Broder
To Learn More:
California Might Investigate Massive Leak of Voter Records (DataBreaches.net)
Possible Voter Data Breach Probed by California Elections Officials (by Christopher Cadelago, Sacramento Bee)
191 Million U.S. Voters’ Personal Info Exposed by Misconfigured Database (by Jeff Goldman, eSecurity Planet)
State Officials Investigating Potential Data Leak on Millions of California Voters (by Christine Mai-Duc, Los Angeles Times)
191 Million Voters’ Personal Info Exposed by Misconfigured Database (DataBreaches.net)