Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

Millions of voter documents leaked online — fears of election interference rise following breach

Hand of a person casting a vote into the ballot box during elections.

The voter documents of 4.6 million Americans have been leaked online after being stolen from 13 non-password protected databases.

The information contained within the databases included voter records, ballots, and election-related records that include personally identifiable information (PII), social security numbers (SSN), drivers license and voter ID numbers.

There are fears the information could be used maliciously to commit identity theft, data theft, voter fraud and intimidation, and even election disruption.

Elections at risk

The databases were found by cybersecurity researcher Jeremiah Fowler, and subsequently reported to VpnMentor. Fowler used news articles and freedom of information requests to identify a company called Platinum Technology Resource was responsible for the unprotected databases.

Fowler originally discovered a singular unprotected database containing information from a single county in Illinois, but upon replacing the county name within the database name format, Fowler discovered an additional 13 open databases, alongside 15 that were not publicly accessible.

Platinum Technology Resource is a company that provides election related services such as ballot printing and voter registration software, with the voter information portal linked to the exposed databases redirecting to a domain indicating “Platinum vrms”, which Fowler speculates stands for “voter record management system.”

This screenshot shows a voter document displaying the individual’s name, address, date of birth, and full SSN. Image credit VpnMentor. (Image credit: VpnMentor / Jeremiah Fowler)

The exposed databases were reported to a partner company of Platinum Technology Resource called Magenium. They were then restricted, but it is unknown how long the databases were exposed or who could have accessed them, with Fowler noting that “only an internal forensic audit could identify additional access or suspicious activity.”

There were claims spread on social media during the 2020 election that votes were cast in the names of deceased family members, but Fowler cross-referenced several exposed death records and found that none of the deceased were listed on active voter databases.

The other information exposed relating those on the active voter list could be used maliciously, as the information found within the databases included full names, physical address, some email addresses, date of birth, SSN (full and partial) or driver’s license number, and historical voting records. There were also copies of voter registration applications, death certificates, and records of change of address, jurisdiction, or state.

This screenshot shows an early voter list containing the names and physical addresses of the individuals. The list also details whether each of them voted or not. Image credit VpnMentor. (Image credit: VpnMentor / Jeremiah Fowler)

Additionally, candidate documents containing personal phone numbers, email addresses, and home addresses were identified, as well as petitions with voter signatures, addresses, candidate loyalty oath, economic interest, and additional supporting documentation. Fowler also uncovered documents marked as official ballot templates for primaries and general elections.

If these documents were accessed by nation states such as Russia or China, or by political activists, they could be used for mass disinformation campaigns or voter intimidation. There are also concerns that the information could be used by criminals to send out multiple ballots by mail in the name of one voter, sowing distrust in the electoral process and causing legal issues for the real voter whose name was used.

Fowler recommends that any organization that manages and stores sensitive information to follow cyber security best practices, alongside using unique formats for database names to prevent someone from jumping from one database to the next by simply replacing one word as Fowler did.

This screenshot shows a.csv document indicating absentee voters located outside of the United States. The file includes overseas addresses, phone numbers, and email addresses. Image credit VpnMentor. (Image credit: VpnMentor / Jeremiah Fowler)

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.