A publicly available database containing the personal information of 191 million US voters has been sitting, exposed, in a publicly accessible corner of the Internet, according to security researchers.
The database, which was first uncovered by independent security researcher Chris Vickery and reported today by DataBreaches.net, includes the names, home and email addresses, voter IDs, dates of birth, party affiliations, and voting histories of millions of registered American voters since 2000. Fortunately, it does not expose the voters’ Social Security numbers, driver’s license numbers, or sensitive financial information.
While 191 million records sounds pretty alarming, it’s worth noting that voter registration lists are usually a matter of public record—though many states enforce regulations to control access to the information. Some states charge expensive fees, for instance, for access to such data. South Dakota, as noted by DataBreaches.net, explicitly requires those looking to acquire voter data to sign a statement confirming their understanding that the database “may not be used or sold for any commercial purpose” and “may not be placed for unrestricted access on the Internet.”
Still, this type of data can be extremely valuable, especially to those running campaigns. For one, the information in such databases might be used for targeted mailings.
That’s the reason third-party vendors hawking vast chunks of voter data exist—which is the suspected source of the breach in this case, as well. Both Vickery and Steve Ragan, a security blogger for the risk management website CSO, who also investigated the data, say the style and formatting of the data set point to a vendor called Nation Builder. The company, for its part, says that the IP address where the files were posted did not belong to it or any of its clients.
More likely, the researchers say, the poor configuration of the data set could be an indicator that a customer purchased information then sloppily threw it online without the right security protocols in place.
OK, but should you be panicking? Not quite. As mentioned, a lot of voter information is public record. As much as anything, it’s just weird that this much valuable data was sitting on the Web for so long, unchecked and undiscovered. That said, restrictions around voter data exist for a reason, if only to temper the likelihood of getting more junk mail.