Cybercrime , Cybercrime as-a-service , Data Loss Prevention (DLP)

US Voter Records for Sale on Hacker Forum

Exposure Highlights Scant Protection Afforded to Voter Registration Records
US Voter Records for Sale on Hacker Forum
Hacking forum advertisement offers U.S. voter registration records from 20 states for sale

A batch of U.S. voter registration records from 20 states has appeared for sale online in what appears to be an illegitimate offering. While it's far from the largest-ever seen leak of voter data, the incident again highlights the lax controls too often applied to voter records.

See Also: Check Kiting In The Digital Age

Two security companies, Anomali Labs and Intel 471, found the data via an advertisement on a web forum where data often gets traded. Although the forum requires registration to become a member, the advertisement is viewable on the open web without registering.

Anomali Labs writes that its researchers have "reviewed a sample of the database records and determined the data to be valid, with a high degree of confidence."

Unauthorized Redistribution?

Even though voter registration records may contain sensitive personal information that can be damaging if it ends up in the wrong hands, such data remains among the least protected.

Laws across the 50 U.S. states vary in relation to access and use of voter registration data. All but 11 states allow some public access to electoral roles. All states do, however, allow political parties and candidates to have access to voter registration records, which means that there are often innumerable potential points of compromise.

There has also been a long run of leaks and breaches that have already exposed most U.S. registered voters' personal information. Also, many third-party aggregators collect such data., for example, claims to have records on 65 million voters across 15 states.

Even so, whoever is advertising the recently discovered batch of records says they have access to weekly updates to the information. Given that the U.S. midterm elections are three weeks away, that would mean portions of the data could have been updated recently (see Why the Midterm Elections Are Hackable).

Anomali writes that whoever is advertising the data may have persistent access to a database of voter records.

"This suggests the information disclosure is not necessarily a technical compromise, but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum," Anomali writes.

Priciest Data: Wisconsin

The advertised data comes from the following states: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming.

The advertiser claims their data sets include phone numbers, full addresses and full names among other information, which would be consistent with what states collect.

The highest listed price is $12,500 for Wisconsin's 6 million voter registration records. It isn't clear why that batch is the priciest. But in presidential election years, Wisconsin is a key state because winning its Electoral College votes can help push a candidate toward a successful nomination.

The full batch of Louisiana's records are listed for $5,000, which is the second most expensive data set for any of the states on offer. The advertisement says 3 million records are available.

Louisiana offers its own voter registration records for purchase online. Buyers can customize their lists according to race, gender, political party and parish, as well as get data on a particular person's voting participation history. The list is either then sent as a PDF or a tab-delimited text file over email, according to Louisiana's Secretary of State's office. According to a price list, the highest charge for any voter-related data in Louisiana is $5,000.

Louisiana's price list for voter registration data (Source: Louisiana's Secretary of State)

Anomali writes that after the advertisement that it spotted was published, another high-profile forum participant appears to have begun a crowdfunding campaign to buy some of the proffered databases.

An effort to crowdfund leaked voter data for the state of Oregon (Source: Anomali Labs)

"According to the actor, the purchased databases would be made available free of charge to all registered members of the hacker forum, with early access given to donors of the project," Anomali writes. "At the time of this report, the first of 19 available voter databases, Kansas, has been acquired and published."

Latest Leak - Far From the Largest

Anomali Labs estimates the total number of voter records being offered for sale via the forum advertiser is 35 million. While that quantity is nothing to sniff at, it still would still put this leak well behind preceding ones.

The mother of all U.S. voter registration leaks came from a company called Deep Root Analytics. In June 2017, the company said it took "full responsibility" for exposing 198 million voter registration records online for up to two weeks (see 198 Million US Voter Records Left Online For Two Weeks).

Chris Vickery, director of Cyber Risk Research at UpGuard, found that data. It was mistakenly exposed after the company failed to secure an Amazon Web Services S3 storage bucket, in what is an all-too-common error.

Prior to that, in 2015, Vickery found another large exposure. About 191 million U.S. voter registration records were leaked, including full names, mailing addresses, phone numbers, birth dates and when people participated in primaries and elections (see 191 Million U.S. Voter Registration Records Exposed?).

The owner of the database appeared to be a mystery. But Vickery noted that one week after he began collaborating with others to get it offline, the database was taken down.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.