Late last Saturday afternoon, Chris Vickery, a white hat computer hacker, notified Illinois elections officials that he had found the entire Chicago voter file unsecured on an Amazon Web Server.
By 5:30 p.m. Saturday, a Chicago Board of Elections spokesperson says they were notified that 1.8 million records of Chicago voter files with additional identifying information, like driver’s licenses and partial social security numbers, were exposed to public access. According to a spokesperson, the file, maintained by contractor ES&S, was secured by 9:44 p.m. Saturday evening.
ES&S has not been able to determine for the Chicago Board of Elections how long that file was unsecured. The Board is now reviewing their contract with the company, said spokesperson Jim Allen.
Whether or not the file was accessed by anyone before Vickery gave notice to election officials is under investigation with a third party forensic analyst, Crowdstrike, contracted by ES&S, says Allen. The data, which included names, addresses, dates of birth, partial Social Security numbers, and in some cases, driver’s license and state ID numbers, was provided to ES&S by the Board of Elections so the company could maintain electronic poll books and verify voters on election day.
“ES&S has liability for this, period. This is our file that they agreed to protect,” said Allen. “ES&S will be responsible for any expenses or notices that will go out to voters. This was a violation of the terms of the contract for voter identifying information. The contract explicitly calls for the contractor to keep that data secured, period.”
“We’re into election day registration, so we need to look for duplicates. We’re trying to protect the security of the entire voting franchise so no one can vote twice,” said Allen.
ES&S is the only outside organization that obtains detailed voter file information, says Allen. One other company accesses data “in house” on Chicago Board of Elections servers.
“They transfer a very limited amount of public information for the chipollworker.com–name, address, year of birth, not vote history,” said Allen. Chipollworker.com is used to register election judges and coordinators in Chicago.
Chris Vickery, Director of Research for cybersecurity company UpGuard, acts as a kind of “cybersecurity good guy” by searching the web for databases with unprotected information, and then notifying the companies and organizations about the breach.
ES&S is a national election systems company based in Omaha, Nebraska that provides data management services and voting machines. Their voting machines came under considerable scrutiny nationally for poor security following the 2016 election.
“We deeply regret that this happened. We cannot stress that enough,” said Allen.