A US technology contractor has inadvertently exposed the personal data of 4.6 million voters and election documents from multiple counties in Illinois, sparking significant concerns over election security and voter privacy.
The databases, managed by Platinum Technology Resource, were found to be unprotected by passwords and included sensitive information like full names, addresses, dates of birth, driver’s license numbers, and Social Security numbers. This breach was uncovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to vpnMentor.
“I discovered a variety of documents, including voting records, ballot templates, and voter registrations, all originating from a single county in Illinois,” Fowler detailed in the report. “Further scrutiny revealed 13 open databases and an additional 15 that exist but were not publicly accessible.”
The unprotected databases contained records of active voters, absentee ballots, early mail-in voting records, and duplicate voters. They also included candidate documents with personal phone numbers, email addresses, and home addresses.
“There were documents labeled as ‘voter records’ that held even more sensitive personal information,” Fowler added. “This included historical voting records and copies of voter registration applications.”
Platinum Technology Resource, a company providing election technology and services to various counties in Illinois, was identified through publicly available contracts and Freedom of Information Act (FOIA) documents. After initial attempts to contact Platinum Technology Resource failed, Fowler contacted Magenium, an Illinois-based technology company responsible for technical support of Platinum Election Services. Subsequently, access to the databases was restricted.
“The databases were publicly accessible for an undetermined period, raising concerns about potential unauthorized access,” Fowler said. “Only an internal forensic audit can reveal if there was any suspicious activity.”
Fowler cautioned about the risks associated with exposed personal information, highlighting the potential for identity theft, fraud, social engineering attacks, or disinformation campaigns to undermine public trust in the electoral process.
In response, Fowler recommended that organizations managing sensitive documents enforce robust access controls and encryption. Additionally, using unique database formats and names that are difficult to guess can help prevent unauthorized access.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.