Tag Archives: Data Breach

Database of 191 Million U.S. Voters Exposed on Internet: Researcher

By Jim Finkle and Dustin Volz

(Reuters) – An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Vickery, a tech support specialist from Austin, Texas, said he found the information while looking for information exposed on the Web in a bid to raise awareness of data leaks.

Vickery said he could not tell whether others had accessed the voter database, which took about a day to download.

While voter data is typically considered public information, it would be time-consuming and expensive to gather a database of all American voters. A trove of all U.S. voter data could be valuable to criminals looking for lists of large numbers of targets for a variety of fraud schemes.

“The alarming part is that the information is so concentrated,” Vickery said.

Vickery said he has not been able to identify who controls the database, but that he is working with U.S. federal authorities to find the owner so they can remove it from public view. He declined to identify the agencies.

A representative with the Federal Bureau of Investigation declined to comment.

A representative with the U.S. Federal Elections Commission, which regulates campaign financing, said the agency does not have jurisdiction over protecting voter records.

Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. California, for example, requires that voter data be used for political purposes only and not be available to persons outside of the United States.

Privacy advocates said Vickery’s findings were troubling.

“Privacy regulations are required so a person’s political information can be kept private and safe,” said Jeff Chester, executive director of the Washington-based Center for Digital Democracy. The leak was first reported by CSO Online and Databreaches.net, computer and privacy news sites that Vickery said helped him attempt to locate the database’s owner.

CSO Online said the exposed information may have originally come from campaign software provider NationBuilder because the leak included data codes similar to those used by that firm.

In a statement, NationBuilder Chief Executive Officer Jim Gilliam said the database was not created by the Los Angeles-based company, but that some of its information may have come from data it freely supplies to political campaigns.

“From what we’ve seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database,” Gilliam said.

(Reporting by Jim Finkle and Dustin Volz; Editing by Jonathan Oatis)

Children among 5 million affected by VTech hack

Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.

The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.

The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.

PC Magazine reported the hack was the fourth largest breach of consumer data on record.

The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.

That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.

The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.

VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.

The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.

“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”

Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.