News Insights: State Voter Databases for Sale on Dark Web

According to a new report from Carbon Black, 20 different state voter databases are available for purchase on the dark web, several from swing states. Included are voter IDs, full names, current and previous physical addresses, gender, phone number and citizenship status, which the researchers say can be used by entities to send targeted campaign materials to a desired audience and influence election results. The voter databases emerged on Empire Market, and according to Carbon Black, the seller has records on 81,534,624 voters.

 

News Insights:

Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT), provided the following comments:

“Most if not all of this data is available from a variety of public sources. In many states, this data can be obtained by simply filing a request with the state election board and possibly paying a small administrative fee. While it is interesting to see criminals aggregate and resell public data, I don’t believe this has any meaningful impact on risk toward voters.”

Cybersecurity experts have commented on the availability of voter records on the Dark Web, as detailed by Carbon Black in their new research report – here is a round up of comments and related stats:

 

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies:

“Being offered for sale and being purchased are very different. A lot of this information is either public, already leaked by services like Facebook or can be purchased legally from several sources. The real concern from a security perspective is how this information, whether obtained through nefarious means or legal but still shady means, can and will be used for social attacks. Equally of concern is the fact that there is no Federal law that governs this type of data, but otherwise a patchwork of states privacy laws. More regulation is not normally something I would call for, however, having a well-defined and widely applied standard for identification and protection of citizen data is something we can learn from our European counterparts.”

 

Colin Bastable, CEO of Lucy Security, reminds us that “These are publicly-available records, eg Florida (https://dos.myflorida.com/elections/for-voters/voter-registration/voter-information-as-a-public-record/Section 97.0585, Fla. Stat. says: “Once filed, with few exceptions, all voter registration information is public record including your name, address, date of birth, party affiliation, phone number and email address. Your social security number, your driver’s license number or state identification card number, and the source of your voter registration application CANNOT be released or disclosed to the public under any circumstances, and can only be used for voter registration purposes. Your signature can be viewed, but not copied.”

 

Paul Bischoff, privacy advocate at Comparitech.com:

“While the sale of voter records on the dark web might strike some people as troubling, it’s worth noting that both major political parties in the US already have their hands on such registered voter databases compiled by non-partisan private companies. Furthermore, US voter data was previously leaked as recently as 2015, in which an unsecured database exposed 191 million records, over twice as many as the database revealed by Carbon Black (https://www.reuters.com/article/us-usa-voters-breach-idUSKBN0UB1E020151229). You can even search an open database of 65 million voter records at Voterrecords.com.

Put into a larger context, the sale of 81 million voter records on the dark web probably won’t sway an election. It does not include how those people voted or their political affiliations, according to the reports I’ve read. Such information is already easily available from legitimate vendors.”

 

Jeff Hudson, CEO of Venafi:
“Last year, attendees at DEF CON managed to find and take advantage of vulnerabilities in five different voting machine types within 24 hours. While these findings were disturbing, conference attendees only examined a small portion of election infrastructure. It’s clear to nearly all security professionals that the back-end systems that transmit, aggregate, tabulate, validate and store election data are at least as vulnerable to cyber-attacks as voting machines.

The bottom line is that the notion of war is changing from something that you do with bullets and guns on the ground to something you do with bits and bytes. Essentially, this is a war about compromising and controlling information. Once you fully understand that, it’s pretty easy to see that we are in a full-on cyber war right now.”

And from the recent Venafi election security survey:

  • 93% of security professionals are concerned about cyber-attacks targeting election infrastructure and data.
  • 81% believe cyber criminals will target election data as it is transmitted by machines, software and hardware applications, from local polling stations to central aggregation points.
  • 95% believe election systems—including voting machines, software and back-end systems—should be considered critical infrastructure.
  • When asked what areas of election infrastructure were most vulnerable to cyber attackers:
    • 52% say voting machines that collect election data.
    • 52% say encrypted communications between polling stations and back-end election systems.
    • 50% say systems that store voter registration data.
  • Only 2% are very confident in their local, state and federal governments’ abilities to detect cyber-attacks targeting election infrastructure. In addition, only three percent are very confident in their local, state and federal governments’ abilities to block them.
  • 64% believe vulnerabilities and exploits connected with election systems are available to cyber attackers on the dark web.

 

 

 

 

Photo Credit: quinn.anya Flickr via Compfight cc