For the second time in two months, the voter registration information of over 19 million Californians was leaked online via an unsecured MongoDB database, which was later held for ransom by hackers.

This second incident originates with Sacramento newspaper The Sacramento Bee, which acknowledged the breach in an article published on its site, yesterday.

The newspaper said it learned of the incident on January 29 when a developer noticed an error when attempting to upload data to one of the organization's databases, hosted on a third-party cloud provider.

After a subsequent investigation, the developer noticed that a hacker had accessed the database, deleted all its data, and left a ransom note behind, asking for payment in Bitcoin if the newspaper wanted to get the stolen data back.

Newspaper refuses to pay ransom demand

The Bee says the ransomed database contained California voter registration data from the California Secretary of State and contact information for 53,000 current and former newspaper subscribers who registered accounts prior to 2017.

Instead of paying the ransom, the newspaper said it deleted the database for good and will notify affected subscribers of the breach.

The newspaper also clarified that it obtained a copy of the California voter registration database from state officials for reporting purposes, similar to how many other organizations also obtained copies, and was not in possession of the voter registration data illegally.

Maintenance operation crashes database firewall

According to Gary Wortel, Sacramento Bee publisher, the voter registration database had been stored in a secure database all along, but a firewall did not come back online after the third-party server provider run a routine maintenance operation.

"The Bee’s database was exposed to the public internet for about two weeks," Wortel said, before the newspaper noticed the leak and deleted the server.

Kromtech, an EU-based security firm, also spotted the Bee's exposed database, before and after the hacker ransomed the data.

Kromtech is also the company that spotted the first unsecured MongoDB server storing Californians' voter registration records that was held for ransom last year, in December. The security firm has yet to find out to whom that database belonged to.

Ransom attacks on MongoDB servers started in December 2016 and continued through 2017. In most cases, security experts believe hackers don't steal data from affected servers, but wipe data and leave ransom notes behind hoping to fool companies into paying for data hackers don't have.