If you have voted in a US election recently, there’s a good chance your personal information is included in a trove of voter data found on a publicly available Web server.
A misconfigured database has exposed the personal information on more than 191 million US voter records, according to Chris Vickery, a security researcher who made the discovery and shared his findings with Databreaches.net for a story published Monday. The database contains information required for voter registration — including names, home addresses, date of birth and home phone numbers — as well as voting history since 2000.
By comparison, the US Census Bureau found that 142.2 million US citizens were registered to vote in 2014 (PDF).
Vickery told Databreaches.net he confirmed the data’s authenticity by locating his own information. Thankfully, the trove of data did not include Social Security numbers, driver’s license numbers or financial information. Political affiliation and participation in primaries and elections are included, but information on individuals’ voting choices does not seem to appear.
It wasn’t immediately clear who the database belongs to. Vickery attempted to identify the server’s owner through records stored on the Web server but was unsuccessful. Databreaches.net said it contacted the FBI and the attorney general of California, one of the few states that restrict what data may be disclosed.
“When one of their attorneys asked, ‘Well how much data are we talking about?’ and I read her the list of data fields and told her that we had access to voter records of over 17 million California voters, her response was ‘Wow,’ and she promptly forwarded the matter to the head of their e-crime division,” according to a blog post by DataBreaches.net.
The FBI and the California Attorney General’s Office did not respond to requests for comment.
The voter information is just the latest data discovered sitting openly viewable on the Internet and easily accessible with the click of a mouse. Last week, Vickery discovered the unprotected usernames, email addresses and password hints of up to 3.3 million users of SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty. Earlier this month, Vickery also discovered a security hole that exposed the usernames, email addresses and other personal information for 13 million users of MacKeeper, a suite of software that claims to make Macs more secure.
Voter registration lists are public record in most states, but many have restrictions on how the data may be used. In California, voter registration cards are confidential and can only be accessed under certain circumstances. In South Dakota, those requesting access to voter data must confirm that the information “may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the Internet.”
The exposed data could be valuable in an issues-oriented campaign. It also poses a threat to voters’ privacy and safety in the wrong hands, according to one police officer quoted by Databreaches.net. The officer, who viewed accurate information about himself in the Web server’s data, said he intentionally keeps his address and phone number off the Internet to protect himself and his family.
“I deal with criminals every day who know my name. The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable,” he told the site. “I’m also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business.”