I've Been Mugged Blog

While looking for unprotected data in cloud storage services, a security researcher found unprotected information for as many as 1.8 million voters in Chicago. CBS Chicago reported:

"It was Friday Aug. 11 in Silicon Valley. John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud. He randomly plugged in "Chicago … db," for “Chicago database,” and hit the jackpot. He found names, addresses, birth dates, driver’s license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters..."

How the breach happened:

"Chicago’s vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections. The company placed the data folder on Amazon Web Services (AWS) with the wrong security settings, Tom Burt, the firm’s CEO, recently told Chicago officials. Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don’t believe the information ended up on the “dark web” for identity thieves to attain..."

The CBE's breach notice (Adobe PDF) provided a more complete list of the data elements exposed:

"... The personal information contained in the back-up files included voter names, addresses, and dates of birth, and many voters’ driver’s license and State ID numbers and the last four digits of Social Security numbers. Upon discovery of the Incident, ES&S promptly took the AWS server off-line, secured the back-up files, and commenced a forensics investigation. ES&S also hired two specialized third-party vendors to conduct searches to determine whether any personal information stored on the back-up files was available on the Dark Web. The results of ES&S’ investigations have not uncovered any evidence that any voter’s personal information stored on the AWS server was misused..."

This is bad for several reasons. First, the data elements exposed or stolen are enough for cyber criminals to do sufficient damage to breach victims. Second, just because the post-breach investigation didn't find misuse of data doesn't mean there wasn't any. It simply means they didn't find any misuse.

Third, it would be unwise to assume that the breach wasn't that bad because only the last 4 digits of Social Security numbers were exposed. Security researchers have known for a long time that Social Security numbers are easy to guess:

"... a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries... Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits... Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially..."

So, it's long past time to stop using the last four digits of Social Security numbers as identification. Fourth, the incident makes one wonder when -- if ever -- the unprotected data folder would have been discovered by ES&S or CBE, if the security researcher hadn't found it. That's unsettling. It calls into question the security methods and managerial oversight at ES&S.

This isn't the first breach at the Chicago Board of Elections (CBE). A CBE breach in 2012 exposed the sensitive personal information of at least 1,000 voters, after initial reports estimated the number of affected voters at 1.7 million. Before that, the CBE faced several lawsuits in 2007 claiming negligence after:

"... it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members."

Reportedly, in 2016 foreign cyber criminals hacked the Illinois Board of Elections' voter registration system. A similar attack happened in Arizona. The main takeaway: voter registration databases are high-value targets.

So, strong data security measures and methods seem wise; if not necessary. The latest incident makes one wonder about: a) the data security language and provisions in CBE's outsourcing contract with ES&S, and b) the agency's vendor oversight.

Will Chicago residents demand better data security? I hope so. What do you think?