A whitehat hacker has uncovered a database sitting on the Web containing various pieces of personal information related to 191 million American citizens registered to vote. On top of the concomitant problems of disclosing such a significant leak to that many people, no one knows who is actually responsible for the misconfiguration that left the data open to anyone.
Researcher Chris Vickery, who this month found myriad databases left open to all and sundry, told FORBES he has his hands on all 300GB of voter data, which includes names, home addresses, phone numbers, dates of birth, party affiliations, and logs of whether or not they had voted in primary or general elections. The data appears to date back to 2000. It does not contain financial data or social security numbers.
Vickery looked up his own information in the database table covering Texas and confirmed it was all accurate. Reporters from CSO and DataBreaches.net did the same. Vickery also looked up several police officers in his city and confirmed the information was correct.
Finally, I gave Vickery my parents' surname and home town in the United States. He found them in the database in a matter of minutes. It would appear every registered US voter is included in the leak.
But their various attempts to disclose the breach to the right party were close to fruitless. DataBreaches.net and Vickery chased NationBuilder, a service that sets up digital campaigns for political parties. They believed certain markers in the database pointed to a NationBuilder-designed database. A NationBuilder spokesperson told DataBreaches.net that the IP address linked to the leaked database was not one of theirs, and the IP address was not related to any of their hosted clients.
It could be that a non-hosted NationBuilder customer was responsible for the misconfiguration. The provider's CEO Jim Gilliam said "it is possible that some of the information it contains may have come from data we make available for free to campaigns".
"From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database," Gilliam added.
"We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free.
"We do not provide access to anyone for non-political purposes or that would violate any state's laws. Each state has different restrictions, and we make sure that each campaign understands those restrictions before providing them with any data. It is vital that everyone running for office knows who is registered to vote in their district."
No one has taken responsibility for the leak. CSO contacted other political tech groups - Catalist, Political Data, Aristotle, L2 Political, and NGP VAN - and all denied the database belonged to them. The FBI New York field office and Internet Crime Complaint Center were contacted by DataBreaches.net and Vickery too.
The FBI declined to provide comment to FORBES. It recommended contacting the Secret Service, which declined to offer comment also.
That this kind of information is open to anyone might not alarm at first glance. Much of the data is publicly available across states as campaigners seek to home in on certain demographics. But some charge thousands of dollars for the pleasure. Many also place restrictions on the use of the information for commercial purposes.
The database has now been taken down. But thanks to someone's carelessness, it was free to anyone who could find what Vickery did. That meant anyone in the world could have discovered where a person in the US lives and what political beliefs they may have. If they found the database, scammers and marketing folk alike will likely benefit most.
"Our society has never had to confront the idea of all these records, all in one place, being available to anyone in the entire world for any purpose instantly," Vickery added. "That's a hard pill to swallow. It crosses the line."
This article was updated at 17:40 ET to include comment from NationBuilder's CEO, and to note the FBI pointed Forbes to contact the Secret Service.
