Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Databases Government Network Businesses Cloud Communications Facebook Networking The Internet United States News Technology

154 Million Voter Records Exposed Due To Database Error (dailydot.com) 95

blottsie writes: Chris Vickery, a security researcher at MacKeeper, has uncovered a new voter database containing 154 million voter records, exposed as a result of a CouchDB installation error. The database includes names, addresses, Facebook profile URLs, gun ownership, and more. Who exposed the voter database? Vickery believes the suspect may be linked to L2, a company specializing in voter data utilization, after he noticed that the voter ID field was labeled "LALVOTERID." After calling the company, L2 said the database likely belongs to one of their clients, noting that there are very few clients big enough to have a national database like that. The database was secured within three hours of their phone call. L2's CEO Bruce Willsie said that the client told L2 that they were hacked and the firewall had been taken down. Their client is conducting their own research to figure out the extent of the incursion. The Daily Dot reports: "Why does this keep happening, and what is our government doing about it? No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general."
This discussion has been archived. No new comments can be posted.

154 Million Voter Records Exposed Due To Database Error

Comments Filter:
  • "Why does this keep happening, and what is our government doing about it?"

    If one accepts that all information may be freely shared unless specific restrictions apply, and if the people named in the database hold no such restrictions on those data, then what's the problem?

  • It was reported and quickly fixed. There is very little story here.

  • by hrieke ( 126185 ) on Wednesday June 22, 2016 @08:04PM (#52370985) Homepage

    My flippant answer:
    Cause companies refuse to pay market rate for those who actually know how to secure these things , & pay for the hardware and services.

    Honestly however, this is not a government issue, this is a private industry issue, and it's going to cost money.

    • Re: (Score:3, Insightful)

      by plopez ( 54068 )

      In software there are no consequences for idiocy. There are no laws governing the quality of software, e.g. requiring warranties or health and safety laws. In addition Software "Engineers" are not true engineers as there is no licensing procedure and unlike true engineers no liability for a poor design. So these so called Software "Engineers" can slap code together and get away with out getting sued. The same is true of Network "Engineers", Security "Engineers" etc.

      There is no such thing as "Software Engine

      • I don't know that I completely agree. I think Software Engineers are forgiven mistakes given the complexity of the environment within which they work, however there is liability in any industry, and depending on the level to which you are producing products (ie. medical, scientific), they are held to a certain level of quality.

        The way the industry typically regulates software is by requiring testing. However, testing can't always predict edge cases, for which modern operating systems have a plethora of.

        Ad
      • This.

        Data breaches will halt very soon after litigation becomes the norm.

        At this writing, gatekeepers are not held responsible.

        For every breach, the custodian of the data should pay out the nose.

        Until then?

        Yawn.

    • That's part of the problem - the other is that there are too many people who claim to know what they are doing when it comes to privacy and security, too few who actually do, and no one who is hiring can tell the difference. Getting a cert or a degree does not make you an expert.
  • Because "Oops" (Score:5, Insightful)

    by penguinoid ( 724646 ) on Wednesday June 22, 2016 @08:05PM (#52370987) Homepage Journal

    The reason it keeps happening is that when it happens, the CEO (who, incidentally, decided that security was an expense to be minimized) merely says "Oops, sorry." and then there are no consequences.

    • by tomhath ( 637240 )
      What consequences do you think there should be in this case? The data was already publicly available - L2 was selling it to anyone willing to write a check.
      • L2 was selling it to anyone willing to write a check.

        So the data had value. How about deducting the lost value from his bonus?

    • The reason it keeps happening is that when it happens, the CEO (who, incidentally, decided that security was an expense to be minimized) merely says "Oops, sorry." and then there are no consequences.

      I think that's it. It's not that companies don't care about security, it's just that they can't really afford to care that much. Good security doesn't make them any money and bad security doesn't cost that much, in a world of finite resources the things with poor ROI are the ones that get neglected.

  • by John Jorsett ( 171560 ) on Wednesday June 22, 2016 @08:08PM (#52371017)
    The feds do a lousy job of it themselves, in fact a much worse job. The Office of Personnel Management leak exposed millions of security-cleared personnel's records, including mine. I've already had somebody try to get credit in my name, probably from that breach (but could be from one that my former employer suffered as well). The OPM leak contained exponentially more revealing info than this one. I haven't heard of anyone getting fired for it, either, just the director getting to "step down". BFD.
    • by gtall ( 79522 )

      Yep, because all federal agencies are the same, right? And if some agency of the fed. gov. was given the task of writing the regs and enforcing them for security, Congress would take years to write the legislation to make it happen because the Conservatives would be screeching about fed. overreach, the right of people to be insecure, etc. The Liberals would get their panties in a knot over privacy and making sure it was multi-culti. Then the agency would be burdened with several Congressional committees' ov

  • So ALL the voters? (Score:4, Informative)

    by Anonymous Coward on Wednesday June 22, 2016 @08:24PM (#52371093)

    As of a couple years ago there were 146 million registered voters in the US. A 150m+ breach means EACH AND EVERY VOTER IN THE UNITED STATES.

    • by Anonymous Coward on Wednesday June 22, 2016 @09:09PM (#52371341)

      What voter database contains gun ownership?

      • Or firearms manufacturers.

      • What voter database contains gun ownership?

        This database was created from 100's of other databases. Some states require you to register your firearms. Apparently those databases got included as well.

        • by Anonymous Coward

          And this is exactly why mandatory firearm registration is such a huge no-go issue to anyone who actually cares.

          • The government has a whole bunch of info that it collects but doesn't make public. Drivers license info. Social security info. Information about minors. Tax information. Are you arguing that "anyone who actually cares" is against the Federal Government collecting information on gun ownership or on making that information public? Because if its the former, does "anyone who actually cares" also oppose all government collection of information?
    • by T.E.D. ( 34228 )

      OMG! I found another breach! Right here: ON THE STATE OF OKLAHOMA'S OWN WEBSITE! [slashdot.org]

      You see, it turns out voter registration database are a matter of Public Record. Not only are they not private, but states are legally required to provide them to citizens upon request.

  • by campuscodi ( 4234297 ) on Wednesday June 22, 2016 @09:08PM (#52371337)
    From the article: "Willsie stated that the client told L2 that they were hacked and the firewall had been taken down. The client was now conducting their own research to determine the extent of the incursion." It was a hack, not an installation error.
    • by plopez ( 54068 )

      Unless the installation was so negligent it allowed an attack. This is clearly a case of trotting out the Evil Hackers(tm) to deflect focus on the company's stupidity.

  • The names of registered voters, their party registration and whether they voted in an election is already publicly available information. The rest of what was listed in the story is just a matter of leg work that anyone can do if they want to. It doesn't seem like a big deal to me.

  • by clovis ( 4684 ) on Wednesday June 22, 2016 @09:40PM (#52371493)

    People keep saying it was gathered from publicly available databases.

    What publicly available database has gun ownership? Neither the states nor the feds knows who owns guns. It's against the law (I know, lol) for them to maintain a database of gun owners.

    And how about household income? Where can a person get the household income of other people from a publicly available database?

    • Voter registration information is a public record. It is publicly available. In some states you have to send a letter and a few bucks for the DVD it's copied on. In others you have to check a TOS like form to promise not to use the data for commercial communications. Etc.

      Voter registration is public information and it should be.

      Who owns guns absolutely should not be held in any government database. There are laws that restrict exactly that (on the federal level). But don't kid yourself. California ex

    • Gun ownership info could be gathered from a number of sources. Those response cards on warranties where people indicate their interests, subscriber lists for magazines (which you can buy), etc. etc. It wouldn't be entirely accurate (there are lots of people who own guns who subscribe to Guns & Ammo, and people who don't own guns who do subscribe), but you can get a pretty decent approximation.

      Household income's not that hard to get either (although not the official numbers).

    • Gun ownership may not be known by governments generally, and shouldn't be. However, my great state of Illinois requires registration. Gun owners are registered in the Firearm Owner Identification (FOID) database. If you are caught with ammo in your car and you don't have a FOID card, you're the lucky recipient of a fresh felony charge (can happen if your spouse leaves ammo in the car).

      That doesn't explain the other 49 states, and Illinois' data shouldn't be public, but unfortunately our government knows who

    • It's probably a compilation of data from public records (such as voting registration) and private records (household surveys, etc.).
  • That's what I asked when Die Hard 2 came out...

  • Facebook IDs are part of a voting record?
  • Mackeeper is the number 1 source of adware and malware on the Mac. This "security researcher" works for a company that is evil as f*ck. I'm guessing he hacked and shared the database and then claimed white hat glory for finding the breach. SMH.
    • by jasnw ( 1913892 )
      Wish I had mod points. I was just about to suggest that before anyone takes this report too seriously, a report based on one source, that they go and google MacKeeper. I think I would throw the bullshit flag on this unless it's confirmed by a real, and honest, cybersecurity firm. There's lots of things in this that don't make much sense.
    • by tgv ( 254536 )

      Was going to write the same. MacKeeper is paid malware, plain and simple. I don't know why they'd have security researchers, nor why such a researcher would be interested in such matters.

  • by cliffjumper222 ( 229876 ) on Thursday June 23, 2016 @12:31AM (#52372047)

    For comparison, while data protection and privacy are fundamental rights in the EU, there is no equivalent protection in the US.

    EU data protection consists of several principles, which include, rules on data quality standards, on sensitive data, independent supervision, the purpose limitation principle, rules on inter-agency exchange or transfer of data to third states, time limits for the retention of data, effective judicial review and access possibilities, independent oversight, proportionality elements, notification requirements after surveillance or data breaches, access, correction and deletion rights as well as rules on automated decisions, data security as well as technical protection. These rights and principles are subject to restrictions, but these restrictions are limited by proportionality elements and are continually subject to judicial review. Some of these EU rights, such as notification, supervision or judicial review can also be found in certain US Acts, for instance in the ECPA, however, they only exist in a mitigated form.

    Most of the EU data protection guarantees simply do not exist in US law. Good for businesses, bad for humans.

  • ...exposed because they're public record.
  • by GrandCow ( 229565 ) on Thursday June 23, 2016 @03:50AM (#52372485)

    >Chris Vickery, a security researcher at MacKeeper

    Are you fucking kidding me?

    An article quotes someone who is a "security researcher" for one of the biggest malware companies plaguing macs, and instead of being told to eat every dick on the planet, they're given a link on slashdot so they look somewhat legitimate??? GREAT FUCKING JOB!

  • LOLVOTERID, dammit, not his sister LALVOTERID.

    "best in class", my ass. Couldn't even spell, ffs

  • MacKeeper is the biggest distributor of Mac MALWARE. WTF?

  • by T.E.D. ( 34228 ) on Thursday June 23, 2016 @09:20AM (#52373581)
    Note that a state's voter registration records are NOT private data. Its public record, and anybody has a right to ask for it. For example, here's a link to where you can get the entire registration database for my state [ok.gov].

    Voter registration records include voters' name, address, date of birth, political affiliation, voter ID number, precinct and voting history, technology center district, school district and municipality.

    I used to have a copy for my precinct on my hard-drive. A candidate just up and emailed it to me, unasked.

    • by ledow ( 319597 )

      Correct.

      But in the entire EU, for instance, linking such data to anything else - including date of birth, or facebook profile, etc. instantly takes it out of the "it's just public data" into it's "protected data".

      And in the EU - under our data protection laws that the US currently refuse to abide by causing all sorts of problems with cloud services - this breach would cost you MILLIONS of dollars. Literally, a hospital was fined hundreds of thousands for losing a handful of medical records that they COULDN

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...