Breaches, Leaks and Hacks: The vulnerable life of voter data


Originally published in Inside the Influence Industry's Personal Data: Political Persuasion - How it works by Tactical Tech's Data & Politics team.

What are breaches, leaks and hacks?

Today, voter data is just as much of a target for malicious hacks and breaches as, say, credit card data, and is equally susceptible to poorly secured digital infrastructure. In fact, the problem has already reached a global scale. While wider international media coverage has largely looked at data hacks and breaches in elections through the lens of leaked emails, nation-state involvement in misinformation campaigns, or insecure infrastructure (such as vulnerabilities in voting booth software), voter data is also at risk. Voter data can be exposed by either a malicious hack, an accidental leak, poorly configured security settings, or the physical theft of hardware. Regardless of the point of exposure, compromised voter data usually includes sensitive and personally identifiable information. As much as data on voters can be a political asset, it can also be a liability.

Over three billion internet credentials and other types of personal data have been stolen by hackers and two-thirds of victims are unaware that their data has been compromised, according to a report by the Center for Strategic and International Studies and McAfee. Some of the most high-profile cases include the data breach at the Equifax credit reporting agency, which exposed the personal financial data of 143 million US consumers; the hacking of Yahoo's customer records, affecting over 1 billion users; and 'a data breach at a leading South African company that resulted in the loss of personally identifiable information for an estimated 31 million people, including the president, finance minister, and police minister. The data included income, address, and phone numbers'.

What kind of data is involved?

Compromised voter data generally comprises data from two possible sources:

Official voter registers: While varieties exist across differentcountries, most voter registers consist of a combination of voter name, date of birth and current residence, which can either be self-reported or automatically updated by state or governmental bodies. Depending on national structures, official registers may be administered at the state or local level. In the United States, depending on the state, such information is stored on digital spreadsheets and can be emailed to those purchasing the voter files. Voter registers can also be centralised into national-level registers, as in the United Kingdom, where they can be acquired in various spreadsheet formats as well as a printed document.

Voter files: Voter files are created in-house by political parties or by political data consultants for campaigning purposes. Voter files often consist of basic contact details typically sourced from public or governmental records, such as census or voter registration, which can be - and often are - enhanced by third-party datasets. These datasets are composed of a range of sources, from online and offline consumer and behavioural data from data brokers, to credit data from credit bureaus, to canvassing data from campaign volunteers. Frequently, voter files are managed by proprietary software platforms specialising in campaign technology.

4_upguard_voterprojections

Screenshot of Deep Root Analytics RNC voter data exposure, which was discovered by UpGuard’s cyber risk analyst Chris Vickery, showing ‘RNC ID’ numbers and a modelled score of likelihood of voters supporting certain policies.
Source: Dan O’Sullivan. “The RNC Files: Inside the Largest US Voter Data Leak.” UpGuard, accessed 4 September 2018

Some examples

Breaches

In Hong Kong: In March 2017, two laptops belonging to Hong Kong's Registration and Electoral Office were stolen during the AsiaWorld Expo. The hardware contained information about all of Hong Kong's 3.78 million registered voters, 'including their names, addresses, ID card numbers, mobile phone numbers and the geographical constituencies in which they were registered'. Furthermore, the names of the 1,194 electors on Hong Kong's Election Committee were stored on the laptops. While the data was reportedly encrypted, detectives investigating the theft reportedly did not rule out the possibility that the incident was the result of an inside job.

In the Philippines: In 2016, in what has been described as 'one of the biggest government-related data breaches in history', the website of the Philippine Commission on Elections was subjected to a cyberattack. Simultaneously, a website went live claiming to contain the full 340-gigabyte database of 55 million registered voters. Other reports raise the number of those affected by theleak to 70 million. The breached data included names, dates of birth, addresses, e-mail addresses, parent's full names and in some cases passport details andtext markers of fingerprints - all published online. The website attack and data-hack were claimed by Anonymous Philippines and LulzSec Philippines.

1_anonymous_phil

A screenshot of the Philippines’ commission on elections’ website which was defaced as part of a voter data breach by Anonymous Philippines in 2016.
Source: http://www.comelec.gov.ph, 27 March 2016.

Leaks

In Lebanon: In April 2018, it was reported that Lebanese embassies made available the personal data of Lebanese citizens living abroad. The Lebanese embassy in the UAE sent an email to Lebanese residing in the country with an attached spreadsheet containing the personal details of more than 5,000 Lebanese citizens who registered to vote in the upcoming elections, asking those contacted to confirm their voter registration information. The Lebanese embassy in the Hague sent a similar email to more than 200 recipients containing an attached spreadsheet with the personal data of Lebanese voters in the Netherlands. Moreover, the person who sent the email entered all the recipient addresses in the Cc: field instead of using the Bcc: field. In both cases the personal information in the spreadsheets included each voter's full name, mother's name, father's name, sex, date of birth, religion, marital status and address.

2_lebanon_email

SMEX obtained this screenshot of an email sent by a Lebanese embassy with an attached spreadsheet of registered voters.
Source: "Lebanese Embassies Expose the Personal Data of Registered Voters Living Abroad.” SMEX: Channeling Advocacy, 6 April, 2018.

In Mexico: In 2016, security researcher Chris Vickery located the Mexican voter roll, containing the personal records of 87 million Mexican voters, in a poorly configured database hosted on Amazon Web Services. The leak included names, addresses, birth dates and national ID numbers and was detected through fairly common IT security practices. After an internal investigation, the Instituto Nacional Electoral fined the Mexican political party Movimiento Ciudadano US$ 1.8 million for negligence in failing to properly secure its copy of the list.

3_mexico_pngvoter

A redacted screenshot of a Mexican citizen record found in a major data breach provided by MacKeeper security researcher, Chris Vickery, to use in a story run by The Daily Dot.
Source: Dell Cameron. “Private Records of 93.4 Million Mexican Voters Exposed in Data Breach.” The Daily Dot, 22 April 2016.

In the US: In 2017, cybersecurity researchers at UpGuard identified a misconfigured database containing the personal details of 198 million US voters. The leaked data included the full name of a given voter, voter's date of birth, home and mailing addresses, phone number, registered party, self-reported racial demographic, voter registration status and even whether they are on the federal 'Do Not Call' list. Also included as data fields were the 'modeled ethnicity' and 'modeled religion' of the potential voter. The leak included data from campaigning firms Deep Root Analytics, TargetPoint Consulting, Inc. and Data Trust - all contracted by the Republican National Committee. The poorly secured 1.1-terabyte database was discovered on an Amazon server and was accessible. In the end, the leak exposed details of nearly all 200 million registered US voters.

Hacks

In Turkey: In 2016, an unnamed hacker posted a downloadable 6.6-gigabyte file, titled Turkish Citizenship Database, which appeared to contain personal data of some 50 million citizens, including their names, addresses, parents' first names, places of birth, birth dates and a national identifier number. While the affected data appeared to be from 2008, Isik Mater, a Turkish privacy activist stated to Wired: 'I searched my name on the list and reached all my family data... It doesn't matter if the data is from 2008 because I still have the same name, same last name, same home address and obviously the same national ID number so it means that, the leak data is up-to-date for me and for lots of other people which makes the leak very, very serious'.

In the US: In October 2018, two cybercrime intelligence research firms reported that an estimated 35 million US voter registration details were being offered for sale on a known dark web hacking forum. The data trove consisted of up-to-date 2018 voter registrations for at least 19 states. The researchers further reported that members of the forum banded together to crowdfund the asking price for the individual databases. While the voter files of these states are considered to be 'public' and available for sale, most states limit access to authorised entities, such as campaigns or researchers, and are barred from being republished. Furthermore, the research teams assessed that due to the nature of the available data the illicit vendor 'may have persistent access and/or contact with government officials from each state'.

5_19-us-state-voter-list

In an article researched and written by Anomali Labs and Intel471, it was found that illegally gained voter lists for 19 US states were advertised on a dark web hacker forum.
Source: Anomali Labs. “Estimated 35 Million Voter Records For Sale on Popular Hacking Forum.” Anomali, accessed 7 March 2019.

How do I know if it's affecting me?

Breaches, leaks and hacks of voter data tend to receive less high-profile media coverage, with public attention frequently focusing on state or party-led disinformation campaigns in national or even small scale elections. Often, compromised voter data is covered by specialist blogs, cybersecurity researchers or niche websites making it more difficult for the non-specialist audiences to know when and where a voter data breach has occurred, let alone if they have been affected. However, in major incidents, such as the 2017 leak of nearly 200 million US voter details, news stories are the most accessible source of information.

Considerations

↘ Leaked, hacked or breached voter data has yet to be publicly acknowledged as a source of data for digital campaigning by political campaigns. The nature of how voter data is acquired in these examples, however, means that there is little insight into what role these leaks, hacks and breaches of voter data have in the course of an election. What we do know, however, is that there have been media reports of specifically politically motivated hackers, such as Andrés Sepúlveda in Latin America, and cases where compromised voter data was used to disrupt the election process.

↘ The breadth, depth and country contexts of these breaches, leaks and hacks of voter data vary across each instance, making it difficult to come to a uniform judgment about their full implications. While in some instances it was claimed that the compromised data was outdated and thus of arguably lesser value, other examples of breached data have more serious impacts. For example, in October 2018 a security researcher was able to access an unprotected and internet-connected storage device belonging to Rice Consulting, a US fundraising firm hired by the Democratic Party. Along with personal data of fundraisers, from phone numbers, to names, email and postal addresses, the database contained contracts, meeting notes, desktop backups and employee details. Significantly, the instance also contained access details to NGP, the voter database management suite used by the Democratic Party.

6-data-breach-rice-ngp

A screenshot of a redacted spreadsheet of NGP access credentials as found in the Rice Consulting breach. The exposed data was found by the Director of Cyber Risk Research at Hacken, a cyber-security research firm, using an Internet of Things search engine.
Source: Diachenko, Bob. “More than Just a Data Breach: A Democratic Fundraising Firm Exposure.” Hacken Blog, accessed 6 March 2019.

↘ Ultimately, the value of voter data is significant, especially if it becomes exposed on the open internet. There is generally a lack of oversight of how this data is stored, secured and handled. Political campaigns, data consultants and service providers have an obligation to handle data in their care with consideration. Changes in data protection laws in the European Union find an entity handling data responsible not only for a data leak or breach, but also for reporting it in a timely manner. According to a survey of the campaigning industry, cybersecurity experts still warn that 'most of the industry isn't taking the threat of digital interference in elections seriously enough' and that poor security practices by individual consultants are the 'weak links' in securing voter data and election integrity.

Author: Gary Wright