Contractor’s unsecured databases exposed sensitive voter data in over a
dozen Illinois counties
Send a link to a friend
[September 18, 2024]
By ANDREW ADAMS
Capitol News Illinois
aadams@capitolnewsillinois.com
 Around 4.6 million records associated with Illinoisans in over a dozen
counties – including voting records, registrations and death
certificates – were temporarily available on the open internet,
according to a security researcher who identified the vulnerability in
July.
The documents were available through an unsecured cloud storage
platform. They included Social Security numbers, dates of birth,
addresses and voter registration history.
Election security experts said the breach is unlikely to affect the
upcoming election but could make affected individuals susceptible to
identity theft.
The researcher, Jeremiah Fowler, has also identified similar data
vulnerabilities which exposed thousands of rail passengers’ travel
details in the United Kingdom and over 4 million student records in the
U.S., among others.
“It’s probably some of the most sensitive voter data I've seen,” Fowler
told Capitol News Illinois. “And I've been doing this around 10 years.”
Fowler identified 15 unsecure databases before contacting several county
clerks and eventually a technology vendor that is contracted to provide
services for those counties.
Fowler told Capitol News Illinois that the list of counties affected
include Alexander, Boone, Champaign, DeKalb, Effingham, Gallatin,
Hamilton, Henry, Jefferson, Ogle, Pike, Sangamon, St. Clair, Williamson
and Winnebago.
He traced the issue to Platinum Technology Resource, an elections
technology company based in Batavia. It is unclear if anyone other than
Fowler accessed the information, although Platinum has denied that any
voter registration forms were “leaked or stolen.”
Capitol News Illinois contacted county clerks in all of the counties
Fowler identified. All but one, Alexander County, responded and
indicated they had been in communication with Platinum about the issue.
One other county, Henry, denied that they were affected by the incident.
St. Clair County was also named in a separate report from Cybernews, a
cybersecurity news and research company, that alleges 470,000 records
were exposed in a similar incident earlier this year.
That report said the exposed data included online voter applications and
change-of-address forms that included Social Security numbers, dates of
birth, names, current and former addresses, driver’s license numbers,
contact information, and more.
When asked about the Cybernews report, St. Clair County Clerk Thomas
Holbrook referred Capitol News Illinois to Platinum, but didn’t comment
further on the issue. Platinum Chief Operating Officer Jay Bennett said
the company “has no knowledge or involvement” of the March incident.
Platinum’s website indicates it currently contracts with 20 election
authorities around Illinois. A Capitol News Illinois review of 12 of its
contracts showed they had a cumulative value of more than $1.7 million
of annual license fees ranging from about $4,500 to $58,000.
Some counties also contract with Platinum for election night support and
other services. In St. Clair County, these services cost more than
$130,000 per election.
Fowler said he reported the vulnerability to Platinum on July 18 but did
not receive a response. Bennett said Platinum was unable to reach Fowler
after he reported the incident.
Fowler then reported the issue to Magenium, Platinum’s IT services
provider, on July 19. He then spoke to an individual at Magenium, who
confirmed the databases were secure, before he published a report with
his findings on Aug. 2.
This is in line with guidance from the Association for Computing
Machinery's Committee on Professional Ethics, which advises those who
identify vulnerabilities within computer systems to notify those
responsible for maintaining those systems before making their findings
public.
“At the end of the day, it’s not about naming and shaming contractors,”
Fowler said. “Every company does the best they can. It’s about
identifying, strengthening the system and learning from it.”
A county clerk alerted the Illinois State Board of Elections of the
situation, according to board spokesperson Matt Dietrich. The board,
which does not contract with Platinum, alerted county clerks of the
situation on July 19.
Platinum distributed a notification to impacted counties in early
August, two weeks after being initially notified.
[to top of second column]
|
Examples of redacted documents found by Jeremiah Fowler in unsecured
databases. (Illustration by Capitol News Illinois)
“We have evidence of a claim the file storage containing voter
registration documents may have been scanned,” the company wrote in a
message obtained by Capitol News Illinois. “The containers are securely
segregated from the overall system, which we can assure you has not been
scanned or accessed.”
In its message to affected counties, the company also said it “used this
opportunity to deploy new and additional safeguards around voter
registration documents,” although it did not describe those safeguards.
In an email to Capitol News Illinois, Bennett said that upon being
notified of the database misconfiguration, Platinum and Magenium took
“immediate steps to quickly investigate and remedy” it.
Bennett declined to comment on what proactive steps the company has
taken to secure other databases, noting that doing so “may pose a risk
and potentially compromise” the security of its clients.
Several county clerks said they had received assurances from Platinum
that the issue had been resolved shortly after the situation was made
public.
“We always take any type of accusation seriously,” Winnebago County
Clerk Lori Gummow said in an August interview.
Gummow also noted that the Winnebago County state’s attorney and county
board members were aware of the situation and that the company assured
her that it has “high confidence” that Winnebago County records had not
been accessed.
Other county clerks, including those in DeKalb and Williamson, referred
the situation to their local state’s attorney.
Some county clerks expressed concern that this would provide reason for
doubt among voters, some of whom are already suspicious of election
officials.
“I can guarantee our elections are run correctly,” Gallatin County Clerk
Deanna Bryant said. “But not everyone believes that. We don’t need more
scrutiny.”
Independent election security experts said the issue was concerning, but
didn’t appear to pose a threat to this year's election.
“This is a serious issue – potentially, we don’t know all the details of
it – relating to identity theft and the security of personal data,”
David Becker, head of the Center for Election Innovation & Research said
at a September media briefing. “This does not appear to be an issue that
impacts election administration.”
Fowler noted in an interview that the information that was publicly
available “would have given all the information to commit identity
theft.” He also shared concerns that hackers in other countries could
use this type of information for nefarious purposes.
The Illinois attorney general advises those who suspect that they might
be the victim of identity theft to report any fraudulent charges to
creditors, place a fraud alert on your credit reports, file a police
report and consider freezing your credit altogether. The AG’s office
also maintains an identity theft hotline for victims at 1-866-999-5630.
Consumers can also order free personal reports from the major consumer
credit reporting agencies – Equifax, Experian and TransUnion – by
visiting their websites individually or by visiting
annualcreditreport.com.
Other county clerks in Illinois said this reflects the changing nature
of election oversight.
“I never would have imagined being a cyber expert and that’s what
elections officials have to be,” Sangamon County Clerk Don Gray said.
Illinois election officials suffered a serious data breach in 2016 after
Russian agents targeted the Illinois Board of Elections and accessed
76,000 voter records.
In response to that breach, the state launched the “Cyber Navigator
Program” in 2018 to provide cybersecurity training to election
authorities around the state. The program has since expanded to offer
services to other local units of local government.
No state-level data breaches have occurred since then, according to
Dietrich.
Capitol News Illinois is
a nonprofit, nonpartisan news service covering state government. It is
distributed to hundreds of print and broadcast outlets statewide. It is
funded primarily by the Illinois Press Foundation and the Robert R.
McCormick Foundation, along with major contributions from the Illinois
Broadcasters Foundation and Southern Illinois Editorial Association. |
