Challenger Podlodowski discovers open door into state's voter database

Tina Podlodowski, the challenger who blew the whistle on a vulnerability in the state's voter registration database. "Can we trust our data is safe, with ballots ready to go to overseas and military voters? No we cannot -- not without an outside audit." less Tina Podlodowski, the challenger who blew the whistle on a vulnerability in the state's voter registration database. "Can we trust our data is safe, with ballots ready to go to overseas and military voters? ... more Photo: SEATTLEPI.COM Photo: SEATTLEPI.COM Image 1 of / 1 Caption Close Challenger Podlodowski discovers open door into state's voter database 1 / 1 Back to Gallery

A yawning back-end pathway into the state's voter registration database, through which private information could have been accessed, has been closed, thanks to the candidate challenging Secretary of State Kim Wyman.

"Anyone with basic programming skills and knowledge about these weaknesses could conceivably (access) this data, look up and harvest private data from millions of Washingtonians," Tina Podlodowski wrote Wednesday to the state's chief information security officer (CISO).

The information accessible via the back-end pathway included voters' personal cell phone numbers, personal email addresses, ballot delivery types, and the coding used to message military and overseas voters.

Wyman's office, without mentioning Podlodowski, put out a release Friday, saying: "The situation has been quickly rectified."

David Ammons, chief communications office for the secretary of state, later confirmed that the problem was first identified in a letter from Podlodowski.

In writing to the security officer, Podlodowski laid out, in her words, "Step-by-Step: How to view illegally posted MyVote personal information about any registered voter in WA." The navigation to "personally sensitive information prohibited by law from disclosure" was done in 11 easy steps.

Agnes Kirk, the CISO, wrote to thank Podlodowsi on Friday, saying: "The Secretary of State's office took immediate action to prevent the information from being accessible any longer . . . Thank you again for following the industry standard for responsible disclosure of a potential cyber security issue and helping keep the citizens data safe."

Instead of Podlodowski, the secretary of state's office thanked Agnes Kirk.

Podlodowski, late Friday, expressed incredulity that Wyman and her office were ignorant of a back-door access problem that "was there since 2012."

"The breach was real and hopefully fixed," she added. "However, (Wyman) should submit to a full cyber audit done by the cyber security officer (which is outside the secretary of state's office) and not just rely on her own people.

"Voters need to be assured by an outside party that data is safe. ... Can we trust our data is safe, with ballots ready to go to overseas and military voters? No, we cannot -- not without an outside audit."

The secretary of state is Washington's chief elections official.

Elected in 2012, Wyman is Washington's lone Republican to hold statewide office. The GOP has held onto the office for 52 years. A former Microsoft executive, who served a term on the Seattle City Council, Podlodowski is the Democrats' strongest-ever challenger for the job.

Wyman's office explained the problem in computer lingo, saying that "some voter information" in the MyVote lookup tool "has been accessible through development code that should not have been."

MyVote is an online tool that permits voters to register and update their registration information, discover ballot dropbox location, access the online voters' guide and see personalized information on issues and election races.

Wyman's office downplayed the significance of the vulnerability.

"We want to make it clear that this was neither a security breach nor a hack of the voter system," said the secretary of state's release. "Also, no otherwise protected personally identifiable information, such as Social Security or driver's license numbers, was ever accessible."

Unusual for a release out of her office, Wyman's name was not mentioned and she was not personally quoted.

Despite reassurances, the loophole made data accessible far beyond the bounds set down by state law. The law sets and defines limits on what can be made available:

"The following information contained in voter registration records or files regarding a voter or a group of voters is available for public inspection, except as provided in RCW 40.24.060:

"The voter's name, address, political jurisdiction, gender, date of birth, voting record, date of registration and registration number. No other information from voter registration records or files is available for public inspection or copying."

Citing the law, Podlodowski stated: "This is serious. I believe she (Wyman) is underselling scope, dramatically."