IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Breach Exposes Ill. Counties Data, Including Voting Records

An unsecured platform made roughly 4.6 million records across a dozen Illinois counties temporarily available on the Internet. Information exposed included voting registrations. The vulnerability was identified in July.

Breach
(TNS) — Around 4.6 million records associated with Illinoisans in over a dozen counties — including voting records, registrations and death certificates — were temporarily available on the open internet, according to a security researcher who identified the vulnerability in July.

The documents were available through an unsecured cloud storage platform. They included Social Security numbers, dates of birth, addresses and voter registration history.

Election security experts said the breach is unlikely to affect the upcoming election but could make affected individuals susceptible to identity theft.

The researcher, Jeremiah Fowler, has also identified similar data vulnerabilities which exposed thousands of rail passengers' travel details in the United Kingdom and over 4 million student records in the U.S., among others.

"It's probably some of the most sensitive voter data I've seen," Fowler told Capitol News Illinois. "And I've been doing this around 10 years."

Fowler identified 15 unsecure databases before contacting several county clerks and eventually a technology vendor that is contracted to provide services for those counties.

Fowler told Capitol News Illinois that the list of counties affected include Alexander, Boone, Champaign, DeKalb, Effingham, Gallatin, Hamilton, Henry, Jefferson, Ogle, Pike, Sangamon, St. Clair, Williamson and Winnebago.

He traced the issue to Platinum Technology Resource, an elections technology company based in Batavia. It is unclear if anyone other than Fowler accessed the information, although Platinum has denied that any voter registration forms were "leaked or stolen."

Capitol News Illinois contacted county clerks in all of the counties Fowler identified. All but one, Alexander County, responded and indicated they had been in communication with Platinum about the issue. One other county, Henry, denied that they were affected by the incident.

St. Clair County was also named in a separate report from Cybernews, a cybersecurity news and research company, that alleges 470,000 records were exposed in a similar incident earlier this year.

That report said the exposed data included online voter applications and change-of-address forms that included Social Security numbers, dates of birth, names, current and former addresses, driver's license numbers, contact information, and more.

When asked about the Cybernews report, St. Clair County Clerk Thomas Holbrook referred Capitol News Illinois to Platinum, but didn't comment further on the issue. Platinum Chief Operating Officer Jay Bennett said the company "has no knowledge or involvement" of the March incident.

Platinum's website indicates it currently contracts with 20 election authorities around Illinois. A Capitol News Illinois review of 12 of its contracts showed they had a cumulative value of more than $1.7 million of annual license fees ranging from about $4,500 to $58,000.

Some counties also contract with Platinum for election night support and other services. In St. Clair County, these services cost more than $130,000 per election.

Fowler said he reported the vulnerability to Platinum on July 18 but did not receive a response. Bennett said Platinum was unable to reach Fowler after he reported the incident.

Fowler then reported the issue to Magenium, Platinum's IT services provider, on July 19. He then spoke to an individual at Magenium, who confirmed the databases were secure, before he published a report with his findings on Aug. 2.

This is in line with guidance from the Association for Computing Machinery's Committee on Professional Ethics, which advises those who identify vulnerabilities within computer systems to notify those responsible for maintaining those systems before making their findings public.

"At the end of the day, it's not about naming and shaming contractors," Fowler said. "Every company does the best they can. It's about identifying, strengthening the system and learning from it."

A county clerk alerted the Illinois State Board of Elections of the situation, according to board spokesperson Matt Dietrich. The board, which does not contract with Platinum, alerted county clerks of the situation on July 19.

Platinum distributed a notification to impacted counties in early August, two weeks after being initially notified.

"We have evidence of a claim the file storage containing voter registration documents may have been scanned," the company wrote in a message obtained by Capitol News Illinois. "The containers are securely segregated from the overall system, which we can assure you has not been scanned or accessed."

In its message to affected counties, the company also said it "used this opportunity to deploy new and additional safeguards around voter registration documents," although it did not describe those safeguards.

(c)2024 the Commercial-News (Danville, Ill.) Visit the Commercial-News (Danville, Ill.) at www.commercial-news.com Distributed by Tribune Content Agency, LLC.