Security researchers from Anomali and Intel 471 made a troublesome discovery regarding personally identifiable information belonging to US residents. The researchers came across Dark Web communications that offered “a large quantity of voter databases for sale”.
Personally identifiable information and voting history is included in the databases. Apparently, at least 19 states appear to be affected, and 23 million records for three of the 19 states.
Millions of Names, Phone Numbers and Voting Histories Sold
The data that is being offered for sale comes from updated statewide voter lists, and includes millions of full addresses, phone numbers, and names. It also appears that the seller receives weekly updates of voter registration data across the United States, and that the data is received via contacts within the state government. The researchers also note that:
Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum.
This dataset may represent “the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data” that includes the personal and voting information of US citizens.
With the upcoming November 2018 midterm elections in the US, the addition of these voter records to other breached data, could result in malicious actors disrupting the electoral process or seeking large-scale identity theft, the researchers warned.
In 2015, security experts identified a misconfigured database, consisting of personal details of exactly 191,337,174 US voters, or over 300 GB worth of data.
As a matter of fact, sustaining voter databases is a typical practice in the United States. Most states have different sets on how to operate with such databases, and what type of information should be public or private.
However, when the time comes, such databases are aggregated and possibly sold to authorized parties, which may be political parties, not-for-profit organizations, scholars, journalists, or legal representatives.