Info on 1.8 million Chicago voters exposed on Amazon server

Elizabeth Weise | USA TODAY

SAN FRANCISCO – Names, addresses, dates of birth and other information about Chicago’s 1.8 million registered voters was left exposed and publicly available online on an Amazon cloud-computing server for an unknown period of time, the Chicago Board of Election Commissions said.

The database file was discovered August 11 by a security researcher at Upguard, a company that evaluates cyber risk. The company alerted election officials in Chicago on August 12 and the file was taken down three hours later. The exposure was first made public on Thursday.

The database was overseen by Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software.

The voter data was a back-up file stored on Amazon’s AWS servers and included partial Social Security numbers, and in some cases, driver's license and state ID numbers, Election Systems & Software said in a statement.

Amazon's AWS cloud service provides online storage, but configuring the security settings for that service is up to the user and is not set by Amazon. The default for all of AWS' cloud storage is to be secure, so someone within ES&S would have had to choose to configure it as public.

The incident is an example of the potential problems raised by an increasingly networked and connected voting system whose security systems have not necessarily kept up — especially at a time when Russia is known to be probing U.S. election systems.

It's also the latest example of sensitive data left exposed on cloud computing servers, vulnerabilities that cybersecurity firm Upguard has been identifying. Similar configuration issues on Amazon cloud servers have left exposed Verizon, Dow Jones and Republican National Committee data.

More: Verizon, Dow Jones leaks a reminder: safeguard your cloud data

“Every copy of data is a liability, and as it becomes easier, faster, and cheaper to transmit, store, and share data, these problems will get worse,” said Ben Johnson, chief technical officer at California-based Obsidian Security, and a Chicago voter.

Electronic Systems & Software is in the process of reviewing all procedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similar situations from occurring, it said in a statement.

No ballot information or vote totals were included in the database files and the information was not connected to Chicago's voting or tabulation systems, ES&S said.

“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel Hernandez. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server," she said.

The database was discovered by Upguard's director of strategy Jon Hendren. The company routinely scans for open and misconfigured files online and on AWS, the biggest provider of the cloud computing services.

The database also included encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable, said Hendren.

“It would take a nation state, but it could be done if you have sufficient computing power,” he said. “The worse-case scenario is that they could be completely infiltrated right now,” he said.

“If the passwords are weak, they could be cracked in hours or days. If they are credentials that ES&S employees use elsewhere (corporate VPN) without two-factor authentication, then the breach could be way more serious,” said Tony Adams of a Secureworks, an Atlanta-based computer security firm.

The implications of the exposure are much broader than Chicagobecause Election Systems & Software is the largest vendor of voting systems in the United States, said Susan Greenhalgh, an election specialist with Verified Voting, a non-partisan election integrity non-profit.

“If the breach in Chicago is an indicator of ES&S's security competence, it raises a lot of questions about their ability to keep both the voting systems they run and their own networks secure,” she said.

Russia is known to have probed at least 38 state voter databases prior to the 2016 election, federal officials have said. Because of that, the fact that the Chicago data was available to anyone with an Internet account — even if they had to poke around a bit to find it — represents a risk, Obsidian Security's Johnson said.

"It’s hard to say malicious actors have found the data, but it is likely some were already hunting for it. Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data," Johnson said.