Dec 282015
 

Personal, public, and some non-public information on 191 million registered voters exposed
– Efforts to identify database’s owner to notify them unsuccessful
– Database still exposed

A misconfigured database leaking the personal information of over 191 million voters was reported to DataBreaches.net by researcher Chris Vickery. This report includes some of the results of an investigation by Vickery, DataBreaches.net, and Steve Ragan of Salted Hash.

UPDATE: As of earlier this evening, the database is no longer publicly available. Earlier today, NationBuilder issued this statement.

UPDATE2: i360 subsequently responded to an inquiry from DataBreaches.net and confirmed that the data were not theirs.

Backgrounder: What Data Are in a Voter’s List?

Voter lists or databases may include a lot of information about you in addition to the information you are required to provide when you first register as a voter. They may contain your first and last name, your home and mailing addresses, your date of birth, gender, and ethnicity, the date you registered to vote, your telephone number, your party affiliation, your e-mail address if you provided one when you registered, your state voter ID, whether you’re a permanent absentee voter, and whether or not you’re on the Do Not Call list.

Lists of voter registration information may be obtained from your state and then combined with other data sources by marketing firms or those serving as consultants to political parties or political campaigns. Who can obtain the state’s voter list, and how it may be used depends on the state’s laws. So databases developed for political campaigns may also include whether or not you voted in the last general and primary elections, whether you appeared to follow a party line vote, and there may be a score predicting whether you’re likely to vote in an upcoming election or for a particular party or candidate. Databases developed for issue-oriented campaigns or non-profits doing fundraising may contain even more personal information such as your religious affiliation, whether you’re likely to be anti-abortion, whether you’re a gun owner, etc.

While the majority of states make their voter registration lists available as a matter of public record and do not restrict use, some states restrict use. For example, South Dakota requires the requestor of voter registration data to sign a statement:

“In accordance with SDCL 12-4-41, I understand that the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet.”

In California, information on voter registration cards is considered confidential, and subject to many restrictions to access and use. One of the restrictions is that the information may not be made available to persons outside the U.S. And in Hawaii, voter registration information may only be used for elections and by the government.

But for the most part, not only can political organizations acquire information about you, they may be able to post it publicly, or even create an app with the information.

Not surprisingly, the more complete the list or database, the more costly it may be. A database with information on all American voters, for example, might go for about $270,000, according to one marketing firm consulted by researcher Chris Vickery.

Voter lists have a number of recognized uses. Even though a percentage of the records are likely to contain inaccuracies, these databases are a goldmine of potential voters for political parties and campaigns, as well as pollsters. The recent political flap when some of Bernie Sanders’ staffers accessed the Clinton campaign’s data shows how highly prized such information is for political purposes. Voter lists or databases also provide a treasure trove of leads for non-profit organizations doing fund-raising, and they are a valuable resource for journalists investigating election issues or candidates, for scholars, and for the government itself.

Researcher Chris Vickery Uncovers a Gold Mine

On December 20, researcher Chris Vickery contacted DataBreaches.net to say he had found a database with 191,337,174  million Americans’ voter information exposed due to a misconfiguration of the database.

He admits he got quite a shock when he found his own information in it, and sent along this screenshot:

Researcher Chris Vickery was shocked to find his accurate record available online. Two other individuals also confirmed that information on them was accurate.

Researcher Chris Vickery was shocked to find his accurate record available online. Two other individuals also confirmed that information on them was accurate.

Chris wasn’t the only to get a rude shock. “Sam,” a police officer known to DataBreaches.net who asked that we not use his last name, was also concerned when DataBreaches.net showed him accurate details on himself.* To protect his and his family’s safety, Sam does not have a publicly listed phone number or address. When shown the information on him in the database, Sam’s response was “Oh man. … I deal with criminals every day who know my name. The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable.  I’m also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business.”

While states may suppress police officers’ voter registration records if they individually request it, it appears that there is no uniform automatic suppression of law enforcement personnel’s records in publicly available voter registration lists.

Thankfully, there are no Social Security numbers, driver’s license numbers, or any financial information in this particular database, but full name, date of birth, and address and phone number with political party and other fields – are problematic enough when it comes to protecting our privacy and security.

To see an almost-complete list of the data fields in this leaky database so you can find out what information about you may now be publicly available, see a redacted entry, here.

Who Dunnit?

Based on preliminary investigation by Vickery and DataBreaches.net of some data field labels that looked like they might be unique or proprietary, DataBreaches.net reached out to Nation Builder, the online service of 3dna, Corp., to inquire if the database was one of their  databases or if it might be one of their clients’ databases. But after 24 hours with no response, and although we really wanted to know who had left this database available to the entire world, Vickery and DataBreaches.net agreed to turn to law enforcement who might be able to get the database removed or secured more quickly.

Both the FBI NY field office and IC3 were contacted, as was the California Attorney General’s Office.  California was contacted as they are one of the states that restrict what cannot be disclosed. When one of their attorneys asked, “Well how much data are we talking about?” and I read her the list of data fields and told her that we had access to voter records of over 17 million California voters, her response was “Wow,” and she promptly forwarded the matter to the head of their e-crime division. The California Attorney General’s Office has not replied to follow-up e-mail inquiries since then, however, and the FBI would not comment when DataBreaches.net tried to follow up with them to find out what, if anything, they were doing.

When DataBreaches.net eventually reached someone at Nation Builder. Ben Handzo, Product Director, followed up and reported that the IP address was not one of their IP addresses. Nor, he said, was it an IP address for any of their hosted clients. Although we were – and remain –  pretty certain that the database involves Nation Builder’s data because of unique data field labels and because the numbers match their database as it was in March, 2014,  we had hit a dead end there. Could Nation Builder reach out to all of their customers to ask them to check to see if they were the source of the leak? Yes, but we realize that they’re really under no obligation to do so.

Meanwhile, based on the “User” in the leaky database, DataBreaches.net also reached out to a congressman’s PAC to inquire whether it might be their database. To date, they have not responded, but a staffer for the congressman said it was unlikely to be theirs as they only worked regionally and not nationally.

Enter Steve Ragan of Salted Hash, who offered to put on his deerstalker hat to help investigate after we reached out to him. 

Steve began contacting some big political consulting and software firms, as he reports today over on Salted Hash. So far, none of those leads has resulted in identifying the owner of the leaky database.

Potential for Abuse?

More than one week after Vickery first discovered the leak and we began trying to locate the responsible party, the database remains online and exposed  – despite countless hours on our part trying to track this leak down.

If you are a registered voter, we cannot offer you reassurance that your details have not been obtained and won’t be misused. We don’t know for how long this database has been left unsecured and how many people may have accessed and downloaded it. At this point, all we’re pretty sure of is that the data in the database include data from Nation Builder. Could it be one of their non-hosted clients leaking the database? Maybe. Could it be that someone hacked one of their clients and stored a copy of the database at this IP address? Maybe. Could it be that an employee of a client decided to make themselves a copy for their own purposes? Maybe. The possibilities are numerous. We really don’t know and DataBreaches.net declines to speculate.

Head on over to Salted Hash to get Steve Ragan’s report and insights.

And then maybe call your Senator and Representative in Congress and tell them that as a constituent, you want them to ensure that there are adequate laws protecting the privacy of our information. It’s too easy to upload a database with all of our contact details, our date of birth, and our political affiliations and voting history to the Internet where anyone can grab it. Tweet them a link to this article with #ProtectMyPrivacy.

Do You Know?

And if anyone has any knowledge of who might be responsible for this database, please contact [email protected] or contact me on Twitter or WICKR (“PogoWasRight”). For encrypted tips by e-mail, my OpenGPG key: 0x0625E4BA.

DataBreaches.net, Chris Vickery, and Steve Ragan will keep investigating this leak and will update our reports as more information becomes available.

* N.B.: Sam’s data was only retrieved from the database after Sam was asked for, and gave, his permission to do so. 

  96 Responses to “191 million voters’ personal info exposed by misconfigured database (UPDATE2)”

  1. I’m sure you’re this far already, but my guess is you have an analytics or scratch database of a large national campaign or PAC on the Republican side. I say that because pretty much everyone on the Democratic side with data on that magnitude uses NGPVAN data. My guess is a campaign/PAC data staffer with little security knowledge set it up.

  2. Thanks for shining a light on this issue folks! Very few Americans realize that their voter registration data is A) a matter of public record, B) freely available to download en masse in many states, C) full of criminally-exploitable data. For example, I downloaded the entire Florida voter database a few years ago, entirely legally.

    See for example http://www2.sos.state.oh.us/pls/voter/f?p=111:1:0::NO:RP:P1_TYPE:COUNTY

    Indeed, there are some people who, motivated by an odd political agenda (eradicate voter fraud?), enjoy publishing these records. No surprise then that someone has aggregated the freely-shared data into one place. The problem is one of data transformation – sunshine laws meant something completely different when large databases could only be accessed by visiting the records office in person with pen and paper versus downloaded remotely. Not enough state-level politicians and bureaucrats have internalized this new reality (new circa 1990s).

    Stephen Cobb, CISSP

  3. Please tell me that there is no way for a party to change a citizens vote or even lose it.

  4. This fact is quite incredible. It truly is amazing to think how easy it is to find data on someone. Heck, if you have their address, and sometimes just their name and county, you can go to their county’s website and search for it. Some counties don’t allow this but many do. he web is full of data that is, in and of itself, insignificant, but if you dig and branch out, possibly Google search someone’s username and see if they are registered on another site that gives you more information about them, you can find a lot. And that is in the open. Hackers can get even more info. In reality, nothing is ever 100% safe.

  5. That depends. How do you feel about dimpled chads?

  6. I’m interested in the voting record. I notice the fields are zero or one. Would that be true/false yes/no? They have a record of you voting, but not what your vote is correct?

  7. Government should only be allowed to do what they do well. Government does nothing well, except for screwing up and spending money. Those activities should be eliminated.

  8. I am not able to say what they have and what they don’t have. We’d have to ask them – if we can figure out who THEY even are. Technically, they shouldn’t know what your vote is unless you tell them in some survey or something, right?

  9. I’m just trying to figure out how Chad got pregnant. 😀
    — Tom Brokaw

  10. Now we know: unprotected activity. 🙂

  11. Could this be tied to Romney’s “Project Orca” project back in 2012? I worked on the war-floor on election day for this, and the system was supposed to have all Voter information tied into it, where a volunteer would be standing behind the check in desk, and check that person off of the database. The system was supposed to be able to predict how the person would vote, and give Romney’s campaign a heads up of how things were going. However, the system failed miserably on election day

  12. Can’t be because the data are from Feb/Mar 2014 or thereabouts.

  13. GAWD you guys rock.
    I’m too interested in the fields like “general_*” or
    primary_*.
    how current are these?

  14. Not sure. The data appear to have been last updated in March 2014, but they don’t have info for every person. So for a lot of folks I quickly skimmed, there were just “O” for specific primaries and elections, but I did see some “1” for 2010 stuff. Frankly, I didn’t want to look at the data too much – just enough to get a sense of what might be in there. The fields went up to 2016 primaries, and of course, the primaries haven’t occurred yet and anything after March 2014 might not be in the database at all. But again, that’s my impression: don’t hold me to it, okay?

  15. Looks to be a mongodb database based on the technical json structure. A database that size would need technical support. Reach out to mongodb with the IP address. They should be able to determine who is using their mms service to monitor that database. Cheers.

  16. It is terrible situation.

  17. Ron, you are correct. Voter records do not contain voting choices marked on a ballot, only whether you have voted in a specific election or not.

  18. someone should post a link to the db

  19. here is another one for Iowa on Google docs.

    [link deleted by DataBreaches.net]

    i located it just by doing a Google search

    [link deleted by DataBreaches.net]

    good times

  20. What’s the site/software

  21. If you have the IP address, then you can track that down to the ISP. Contact the ISP and ask them to contact the customer. Let them know you will publicly post the name of the ISP in 72 hours.

  22. Just an example, media companies track down IP addresses all the time to combat piracy.

  23. That’s not going to happen here. Not while it’s still unsecured, anyway.

  24. I’m very familiar with how to do notifications, thanks.

  25. There are some things that are best handled by the feds. Chris and I decided to go to them and let them do their job and bring their resources to bear on this one.

  26. Sorry, but I removed the links as I don’t like linking to what are essentially data dumps of personal information – even if they’re public records. But you’re right, those lists are easy to find. And that concerns me, too. I value transparency and accountability, but we’ve got to rein in the widespread sharing of our personal information.

  27. this kind of BS is *not* supposed to happen by *accident*.

  28. Government is no better or worse than private enterprise at doing things. Try calling customer support for any major cable company. Ask SONY how secure their data was.
    Government should do what needs to be done that cannot be trusted to the greed of private enterprise. LIke inspect meat.

  29. There’s sloppy infosecurity everywhere you turn. And that’s assuming, for now, that it was accidental.

  30. so if nr vickers actually accessed this data then he directly violated the law and should be prosecuted no matter his attempt at explaining an excuse as to why he was performing actions he was not legally authorized to do

  31. The one from Iowa linked above by silent observer which was redacted by DataBreaches.net seems to be in the exact same format as the database described in the article, down to the field names, though the complete list of field names is not visible unless you go to Tools > Select Columns. This may provide a clue to the owner of the database described in the article, and/or how it was generated.

  32. Oy vey, the goyim know we are data-mining them. SHUT IT DOWN!

  33. A lot of data passes through Nation Builder on its way to customers who may then compile the list with other data, assign their own uniq_id etc. Here’s Nation Builder’s statement today

  34. Thanks for taking action and bringing it to the Feds. A lot of people would have exploited the situation.

  35. It certainly does, however NationBuilder’s default field names (if the information on its website is accurate and up-to-date) are different than the ones shown in the original article and in the link above. Please compare: https://elections.nationbuilder.com/about/data_columns In contrast, the Iowa database that was linked to above and the database discussed in the article use exactly the same field names, which deviate from those provided by NationBuilder despite that obviously being the ultimate source of the data.

  36. Chris’s motivation to get these leaky sites secured and to call attention to the ongoing lack of adequate security of databases with our personal information. It’s a goal he shares with this blogger, so yes, when we couldn’t locate the owner within 24 hours, we agreed that for the public good, we’d start contacting federal agencies and California.

  37. The field names in the image in the story were not from a csv file.

  38. It should be safe to say that a Democrat created the site in question, Republicans aren’t smart enough to build such a website, they’re all a bunch of dumb hillbillies.

  39. Typical leftist comment. Both parties are very capable.

  40. “Once you generalize you’re instantly incorrect”
    Statistically speaking, its impossible for every single Republican to be the same. Comments like that are just ignorant and pointless. Next time, think of something intelligent to say.

  41. Thank you for notification about this problem.

  42. Thank you for notifying! 🙂

  43. You sound like the dumb hillbilly here, making generalized statements like that.

  44. Folks: most of the tips that came to my site about the source of this database pointed to Republican-associated campaigns or entities. Only 1 or 2 suggested Dems. At the present time, I still don’t have specific and exact knowledge of whose database this was. If/when I find out, I will publish that. In the meantime, can we focus on the issue of whether a huge database – even with public records – poses a risk to our security and privacy.

  45. Thank you for arriving late to the party Chris Vickery but I’m sure that all the good people down at the NSA already have the situation 100% under control… cuz that’s what they do! May I remind you that all of your “investigating” is taking away work from dedicated NSA union members, and that ain’t right! Do yourself a favor and go investigate Steve Harvey, or maybe even Justin Bieber (that little turd!) Leave the REAL dirt digging to the professionals. Now get back to your paper route, or whatever it is you do for a living… stop holding your subscribers hostage. I bet you you list “fishing expeditions” as your line of work for tax purposes huh! Yeah, real smooth.

  46. Your question has no relevance to this database or surrounding issues.

  47. Jakob’s claim is based entirely on ideology, not at all on fact or reason.

    “Government is no better or worse than private enterprise at doing things.”

    Actually, studies show that government is more efficient than private organizations.

  48. Actually, IP addresses are assigned to “Autonomous Systems” (ASes). Most corporations have their own ASes; those IP addresses are allocated to them, not to an ISP. A DNS lookup of the IP address will yield the domain name, and a whois lookup will yield the owner of the domain.

  49. Nothing accidental is supposed to happen, by definition, so your statement is without useful semantic content.

Sorry, the comment form is closed at this time.