U.S. Voter Database Mysteriously Appears Online, in the Open

A misconfigured database has provided users of the World Wide Web access to 191 million voter records. White hat hacker Chris Vickery happened upon the leaky system and sent CSO’s Steve Ragan his personal voter record to prove it.

“It was current based on the elections listed. My personal information was accurate too,” Ragan writes.

Vickery and the parents of Forbes’ Thomas Fox-Brewster  also were listed in the dump.

Vickery told Ragan: "I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?"

The database contains a voter's full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores.

Each state has its own rules for the protection of such data.

In Alaska, Arkansas, and Colorado, voter data has no restrictions placed on it. However, in California, voter data must not be made available to persons outside of the United States. South Dakota has a law that is directly related to incidents such as this one:

"...the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet."

No one has claimed ownership of the data or responsibility for the security flub. 

It would appear every registered U.S. voter is included in the leak, Forbes says. 

Certain markers in the database pointed to a NationBuilder-designed database.

It could be that a non-hosted NationBuilder customer was responsible for the misconfiguration. The company's CEO Jim Gilliam said “it is possible that some of the information it contains may have come from data we make available for free to campaigns”.

“From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database,” Gilliam added.

Based on the voter count and some of the records, the database appears to be from Nation Builder's 2014 update from February or March, but it's unclear how long the system has existed online.

To some, it might not seem alarming that this, largely public, information is in the wild, but campaigns charge thousands of dollars to see it all aggregated in this manner.

“Right now, thanks to someone’s carelessness, it’s free to anyone who can find what Vickery did. That means anyone in the world can find out where a person in the US lives and what political beliefs they may have. If they can find the database, scammers and marketing folk alike will likely benefit most,” Forbes writes.