2.9 Million Louisiana Voters’ Data Leaked Online
Most people believe that voting is a fundamental right of any democracy. In the United States an anonymous vote is considered your “right” and it is a cornerstone of the U.S. democratic process. This week researchers from the MacKeeper Security Research Center discovered an open and publically available database that contained detailed information on very voter in the state of Louisiana.
The voter database was named 'lavoter' was hosted on Google Cloud IP and contained 2,919,651 records for the entire state of Louisiana.
Information included the following categories (among other): Names, Full Address (incl. mail address), Sex, Race, Political Party Code, Voter Status, Registration Date, Registration Number, Personal Phone No., Last Voted data and Voting History data.
Exactly as specified at Louisiana’s Secretary of State website: http://www.sos.la.gov/electionsandvoting/publisheddocuments/recordformatsheet.pdf
Another database hosted on the same ip was named ‘ladps’ and contained 6,978,508 records. We can only guess that it attributes to ‘Department of Public Safety”, since the following categories were presented in database: Full Name, Residence Address, Race, Sex, DOB, Height, Weight, Residence Parish code, Driving License Number, SSN code (but not the SSN itself), and issue number.
That database also contained information on deceased people. The total count of records in that one leads us to believe that it corresponds to the demographics of Louisiana.
When the MacKeeper Security Research Center was searching for the legal requirements for protecting voter data in the state of Louisiana we were shocked to discover that all voter data is for sale to basically anyone willing to pay for it. You do not even need to prove that you will use it for political purposes, research or any related election purpose. Louisiana’s system gives you the option of choosing past or present voters and you separate by various demographics (gender, race etc.), specify the party of your choice. The price for buying voter data comes out at $0.01 per name on the list.
The current US election has shown us more than any other just how much technology has become a part of the process. The negative side of that is there is no common standard of security and data protection of election and voter data. The election rules and voter data varies from state to state and voter data may not even be considered private depending on where you live. The FBI has recently investigated the possibility of Russian hackers trying to influence the US election and in Dec 2015 MacKeeper’s Chris Vickery identified 191 million voter records that were exposed because of a misconfiguration in a CouchDB installation. In July 2016 WikiLeaks released 19,252 emails and 8,034 attachments from the top of the US Democratic National Committee and many experts expect more information will be released before the election. The real question is why are Americans so worried about Russian hackers and protecting voter’s personal data when some states will just sell it?
Voter data and election should be considered "critical infrastructure" and not sold off to the highest bidder or wholesale prices. Citizens should at a minimum have the right to “Opt Out” of having their data sold if they live in a state that sells voter information.
It is unclear if the database discovered by the MacKeeper Security Research Center belonged to the State of Louisiana, a political organization, or who? The files include driver’s license numbers so this would make us assume that only the state would have that sensitive information and those would be likely be removed from any sold lists. Regardless of who is responsible for the database it was publically available and exposing the data of 2.9 million voters.
The database has since been secured. It is unknown, how many people got access to it and who was the owner.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.
Do you have security tips or suggestions? Contact: email@example.com