The voter information of more than 191 million Americans—including full names, dates of birth, home addresses, and more—was exposed online for anyone who knew the right IP address.
The misconfigured database, which was reportedly shut down at around 7pm ET Monday night, was discovered by security researcher Chris Vickery. Less than two weeks ago, Vickery also exposed a flaw in MacKeeper’s database, similarly exposing 13 million customer records.
“Don’t let anyone try to dismiss this as, ‘Oh, it’s just mostly public records.’”
According to researchers, the voter database contained voters’ names (first, middle, and last), home addresses, mailing addresses, phone numbers, dates of birth, sex, ethnicity, party affiliation, and whether the person voted in primary or general elections.
It did not, however, include Social Security numbers, driver’s licenses numbers, or any financial records, according to sources with firsthand knowledge of the dataset. An “almost-complete” screenshot of a voter record, which was redacted to protect the voter’s identity, reveals dozens of field entries containing an array of personal information.
In total, the leaky database contained more than 191,337,170 records, which dated as far back as 2000.
Its existence was first reported by Dissent, the pseudo-anonymous blogger at DataBreaches.net, and information-security journalist Steve Ragan. Both Vickery and Ragan confirmed locating their own personal data among the records. Vickery reportedly responded with outrage. “How could someone with 191 million such records be so careless?” he asked Ragan.
Attempting to locate the source, Ragan reached out to more than a half-dozen political firms, including Catalist, Political Data, Aristotle, and L2 Political. Each denied ownership of the IP address on which the database was found.
After noticing a few of the data field labels appeared to be proprietary, Vickery and Dissent reached out to NationBuilder, a company formerly overseen by Joe Green, an entrepreneur who years prior launched Causes.com, along with former Facebook president Sean Parker.
NationBuilder likewise denied ownership of the “inadvertently accessible” database in a statement on Monday, but added, nevertheless, it may correlate with data it gave freely to campaigns.
“We do not provide access to anyone for non-political purposes or that would violate any state’s laws.”
“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns,” said CEO Jim Gilliam, of the database found by Vickery. “From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”
Added Gilliam: “We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws.”
“Don’t let anyone try to dismiss this as, ‘Oh, it’s just mostly public records,’” Dissent told the Daily Dot on Monday. In the wrong hands, she said, the database could put at risk law enforcement officers, domestic abuse victims, and employees whose bosses are staunchly partisan.
“Some voter information needs to be public record for accountability and to keep elections honest,” Dissent added, “but maybe party affiliation shouldn’t be part of state voter registration anymore. Let people sign up with parties separately and let the parties keep their own lists.”
Both Dissent and Vickery reached out to the California Attorney General’s Office for assistance, since California voters are among those exposed, as well as federal law enforcement.
Citing a policy intended to preserve the integrity of investigations, a spokesperson for Attorney General Kamala Harris would neither confirm nor deny her office was looking into the database. The Federal Bureau of Investigation declined to comment as well.
Dissent said she believes the database should catalyze a debate over whether there should be new rules about posting voting lists online. “One state, South Dakota, prohibits it,” she said. “Maybe the other states should follow their lead on that.”
H/T DataBreaches.net | Photo via angela n./Flickr (CC BY 2.0) | Remix by Max Fleishman