By Katie Bo Williams – 12/28/15 09:50 AM EST
Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet.
The information contains voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000.
While in most states, voter registration lists are a matter of public record, many have regulations restricting access and use.
For example, South Dakota requires those requesting access to voter data to confirm that the information “may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet.”
Security researcher Chris Vickery discovered the breach and reported it to DataBreaches.net, which has since reached out to law enforcement, as well as the California attorney general’s office.
“When one of their attorneys asked, ‘Well how much data are we talking about?’ and I read her the list of data fields and told her that we had access to voter records of over 17 million California voters, her response was ‘Wow,’ and she promptly forwarded the matter to the head of their e-crime division,” writes DataBreaches.net’s anonymous admin.
Steve Ragan, a security blogger for the security and risk management website CSO, has alsoinvestigated the breach, noting that none of the political database firms he identified and reached out to in connection with the database claimed ownership of the IP address where the files are posted.
“What Vickery has discovered is worse” than the recent breach of Hillary Clinton’s voter data by a member of Bernie Sanders’s campaign, Ragan writes, “because the data he discovered isn’t a client score — it’s a complete voter record for 191 million registered voters.”
“The problem is, no one seems to care that this database is out there and no one wants to claim ownership,” he says.
Because some states charge high fees for access to voter data, campaigns often turn to third-party vendors to purchase huge swaths of information at a lower price. They can then use the information to develop sophisticated data sets to help them gain an edge, much the way President Obama’s campaign did in 2012.
The exposed data set, for example, could be used as the backbone of a database for an issue-oriented campaign. Such databases can contain deeply personal information, such as whether you’re a gun owner, religious or believe in abortion.
Such information can then be used by criminals to target victims of the breach.
A police officer speaking to DataBreaches.net said that he intentionally keeps his address and other personal information off of the Internet to protect his family.
“I deal with criminals every day who know my name,” he told the site’s admin. “The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable.”
Both Ragan and DataBreaches.net believe the dataset originated with the third-party vendor Nation Builder but that the poor configuration that resulted in its exposure was done by a customer that purchased the information.
“Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it,” Ragan writes.
“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns,” Nation Builder CEO Jim Gilliam said in a statement acknowledging the breach. “From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”
Privacy experts have warned that unlike the commercial sector, campaign data remains a kind of Wild West, with the candidates under no obligation to safeguard the information.
There are several major discrepancies between how campaigns and the commercial sector are expected to handle personal data — in some cases putting voter information at risk.
Campaigns are largely exempt from many of the communications laws that apply to businesses, such as anti-SPAM laws.
It’s also unclear who would have responsibility for oversight of campaign data collection. There’s no consensus on what federal agency, if any, would take enforcement action against a campaign in the event of a hack.
Some question whether commercial standards for data protection are adequate for voter or campaign data, since the information given to campaigns is often far more personal than a credit card number.
“Is the commercial standard sufficient for politics?” Ira Rubinstein, a fellow at New York University who has written extensively on privacy in the big data era, asked while speaking to The Hill for a previous story on this topic.
“We’re not talking about which sneaker I want to buy. We’re talking about exercising the right to vote as a basic democratic right.”
The database is currently still live, according to a Monday morning post on DataBreaches.net.
–Updated at 2:44 p.m.