Millions of voters are now at risk for “countless scams” after their records were exposed by an improperly secured database, said Chris Vickery, a white hat cybersecurity researcher who uncovered the vulnerability.
“The dangers are extreme,” Vickery told FedScoop in an email.
He added, “Imagine the havoc that could be caused by phone scammers knowing the age and cell phone number of every voter in America. That’s a large group of elderly, naive targets to reap. Also, think how much a spammer would value a nearly up-to-date list of millions and millions of voter email addresses. That’s not to mention the potential harm coming from a list of every voters’ ethnicity.”
Last week, Vickery announced in a blog post that he discovered an exposed “database containing profiles for 154 million American voters.” The database, which is owned by Seattle-based nonpartisan political data brokerage firm L2 and was sold to an undisclosed customer, held voters’ home addresses, full names, political preferences and their opinions concerning issues like gun control and same-sex marriage.
Vickery, who works at security software firm MacKeeper, said a database misconfiguration was likely to blame. The unnamed L2 client had previously claimed their account was hacked.
While it remains unclear whether an unauthorized user captured data before the vulnerability was patched, a log file showed that while the database was left open, it was accessed from a Serbian IP address, Vickery said. At the same time, he noted that authorized users could choose to mask their IP for an added layer of security.
L2 CEO Bruce Willsie said in a statement shortly after the vulnerability was disclosed that his company took immediate action.
“We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could.”
FedScoop reached out to L2 for comment but did not receive a response before publication. Though, L2 told The Hill that the exposed voter information was roughly a year old.
Vickery told FedScoop that if the database were leaked online, it should concern American gun owners, who would be “alarmed to learn that they really are being tracked.”
“Little bits of info here and there may be innocuous, but when you concentrate some of the most sensitive aspects of millions of peoples’ lives, it becomes potent and destructive in the wrong hands,” Vickery said. “The number of scams you could pull off with such a database is only limited by your imagination.”
To contact the reporter on this story: send an email via firstname.lastname@example.org or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on