Lessons Learned from the Illinois Voter Data Breach and How to Protect Election Infrastructure
Recently I discovered and shared with vpnMentor about 15 unprotected and publicly exposed databases. They contained 4.6 million records, including sensitive Illinois voter information. Now that the dust has settled and as the US election nears, I wanted to reflect on the potential vulnerabilities in election infrastructure, how to protect voter data, and other privacy-related risks.
In this case, the databases held voter registration records, ballot templates, death certificates, and much more. These documents contain personally identifiable information (PII) like Social Security Numbers (SSNs), voter ID numbers, and driver’s license numbers. The exposure was quickly secured, and public access was restricted following my responsible disclosure. Yet, the incident highlights several critical lessons — particularly the need for better protections of voter records nationwide.
In the weeks after publishing my report of the incident, I had numerous discussions with journalists, officials, and members of the general public. The most common question I was asked was: are citizens at risk of fraud, disinformation campaigns, and election interference by domestic or foreign groups? The short answer, in my opinion, is yes. It is hypothetically possible, and we are already seeing a flood of disinformation on social media.
As a cyber security researcher, my focus is on data protection and not any form of political affiliation or conspiracy theories. Protecting voter data is an independent issue. My goals are to raise awareness and promote the necessary steps to ensure that election-related data is secure and common vulnerabilities can be identified before they are potentially exploited.
One major issue surrounding voter data integrity is that many jurisdictions do not have the budgets or the resources to develop and maintain the technical infrastructure needed to securely store and manage sensitive voter records. These jurisdictions often choose to contract a third-party private company to provide the technology services they need. The potential downside to outsourcing voter record management is that the jurisdictions no longer retain physical control of their citizens’ data. They also have no control over the data security and protection methods used by the third-party contractor. It presents a concerning scenario where you are only as strong as your weakest technology contractor.
Another issue is that most states do not prescribe uniform standards for securing voter records. In a phone call to the Illinois State Board of Elections, I was told that they “have no control over how individual counties collect, store, and manage voter data”. Having a decentralized system with no standardized data management practices could potentially create significant cybersecurity risks. Varying security practices could potentially leave some localities and their election infrastructure more vulnerable to cyber threats. Without strict data protection guidelines, jurisdictions with weaker systems could theoretically be easy targets for a wide range of malicious attacks. Moreover, having no uniform standard could also complicate the ability to coordinate an incident response to cyber threats across jurisdictions. This could stall the response to an incident and the recovery process while undermining trust in election officials.
I am not saying that the voter data that I discovered was compromised or exploited in any way, nor am I claiming or implying that it was implicated in any potential threats by attackers either foreign or domestic. However, It is important to know the potential risks of a worst-case scenario regarding how exposed voter data could be used to undermine or interfere with the election process.
Potential Risks Associated to Exposed Voter Data
Here are some hypothetical possibilities of tactics that criminals could use. Although these methods would not likely change the outcome of a national election, they could potentially make a difference in small rural elections or in jurisdictions where elections are a close-run thing.
Mail-In Ballot Fraud: If criminals had an individual voter’s PII and voter ID number, they could possibly request mail-in ballots. With the driver’s license number, they could potentially request a change of address or even intercept the mail-in ballot from the legitimate voter. Once they have it, they could fraudulently complete and submit the ballot. This could potentially cause voter confusion or trigger an investigation by the authorities.
Ballot Spoiling: Criminals could submit multiple incorrect or intentionally flawed absentee ballots using the stolen voter data of real people. This could lead to those ballots being rejected, including the legitimate votes. This method could be used to overwhelm the local officials and put the entire process in doubt.
Manipulating Voter Information: Some voting systems could allow voters to change or update their details online. Hypothetically, a criminal with the correct PII of a voter could change their home addresses or party affiliation. This means that, when the legitimate voter arrives at the “wrong” voting location, they could be turned away and asked to go to their home districts. Changing their party affiliation, on the other hand, could affect their ability to vote in primary elections. Many of the documents I saw in the data breach were PDF or image files. If the image was altered to change the voter ID number, spelling of their name, or other information, it could possibly create problems for the voter the next time the records are updated or if their votes were questioned in an audit.
Deregistering Voters: Some states (like Georgia) offer voter registration cancellations online, making it hypothetically possible to use an individual’s ID number to cancel or suspend their voter registration. If a victim has been deregistered and is unaware, they could be denied the right to vote. By the time they realize that they have been removed from the voter roll, it would be too late to fix the problem.
Voter Suppression and Disinformation Campaigns: Multiple US government agencies have indicated that various foreign adversaries are actively running disinformation campaigns in an attempt to influence elections. This includes using AI-generated content and targeting individual voters in swing states. Theoretically, by using demographic data (such as age, race, and political affiliation), malicious actors could identify specific groups to target with misinformation campaigns on issues that are important to those voters. Additionally, they could also attempt to target specific voter groups by sharing incorrect polling locations, bogus voter ID requirements, wrong election dates, or other false information to reduce voter turnout.
Compromising Election Workers: Another potential concern would be phishing attacks targeting election workers because these individuals have access to sensitive voter data. By compromising election workers, officials, or third-party contractors, criminals could gain administrative credentials or unauthorized access to election infrastructure.
In each of these scenarios, the stolen voter ID numbers by themselves may not be enough to carry out complex election fraud on a massive scale. However, when combined with other personal information or with vulnerabilities in the election system (such as weak authentication mechanisms or poorly monitored absentee voting), they could be a powerful tool for malicious actors to disrupt, manipulate, or undermine the integrity of an election.
How to Protect Voter Data
Now that we know some of the problems states and counties may face, the question remains: what can be done to protect voter data?
Unfortunately, there is no one-size-fits-all solution when it comes to data security, but there are concrete steps that can and should be taken. In this case, the databases were left open and vulnerable simply because they were not password-protected or encrypted, which made them accessible to anyone with an internet connection.
Here are some basic steps that I would recommend to protect voter data from foreign and domestic adversaries and to help prevent election interference.
Encrypt All Data: The easiest way to protect against unauthorized access is to use encryption. Most jurisdictions have online portals where voters can access their documents or information. These documents must be stored in a database and then delivered through a password-protected dashboard or application. This is why voter records should be encrypted both at rest (in the database) and in transit (when it is accessed or delivered to the end user — in this case, the voter). By encrypting the records, they become unreadable and unusable in the unfortunate event of a data breach or if unauthorized access occurs. Even as a security researcher, when I stumble upon encrypted data, I move on because I know it is protected.
Access Controls and Monitoring: Password protection is the most basic step, but a strong password alone is no longer enough. All systems should use multi-factor authentication (MFA) to prevent brute force attacks, reverse brute force attacks, or dictionary attacks. Monitoring access can identify who is accessing the network, records, or cloud database. This includes failed login attempts, as they can identify a potential cyberattack in real time. Access controls and monitoring are a necessity to prevent unauthorized access and catch suspicious activity inside the network.
Security Audits and Vulnerability Assessments: As I mentioned before, many local governments chose to contract third-party vendors to manage their election systems and do not have direct control over their data or the storage infrastructure. This is why it is important to require that those vendors undergo regular security audits and vulnerability assessments. State and local governments have the authority to pass legislation to hold vendors accountable and require mandatory penetration testing and risk assessments. The election authorities must also be involved and be fully aware of any vulnerabilities found in the security audits. Election authorities must not pass the entire liability to the contractor. Finally, informing the public of any untoward incidents is important because it promotes trust and transparency.
Token-Based Access and Time-Limited URLs: Using access tokens and time-limited URLs for document delivery is an effective way to secure sensitive data. This is a very simple method to ensure that only authorized and authenticated users can view or download documents in a very short period of time before any granted access expires. For web portals that provide voter data, this could significantly reduce the risk of unauthorized access.
Zero-Trust Architecture: When it comes to highly sensitive data, we should always assume that threats will come from both inside and outside the network. The concept of zero-trust is exactly what it sounds like and that election agencies and vendors should treat all access requests as if they were malicious and put multiple layers of security in place. Sure, it creates additional steps and complicates the ease of use, but effective cybersecurity requires that all users must be authenticated, authorized, and validated before accessing any system, documents, or database. Remember, from a cybersecurity standpoint, the more complicated, the better.
When researching the coverage of my previous report on the Illinois voter records data breach to see if any additional details were discovered, I was surprised to see a post on X (formerly Twitter) stating: “DeKalb County has a 108% voter registration rate: including: 169 at nonresidential address 185 who moved and voted in different jurisdiction 4,861 names with no contact in 10+ years”.
When trying to fact-check these numbers, I discovered a report from a group called Democracy in Action that claimed “Voter Registration in 353 Counties in 29 States Exceeds 100%”. In 2020, the group released a study that shows 353 US counties had more registered voters than eligible voters (an excess of 1.8 million voters, to be exact). This is despite the National Voter Registration Act of 1993, which requires states to make reasonable efforts to clean their voter rolls. However, it’s important to note that this claim is based on their interpretation of available data, and discrepancies in voter registration rolls may result from several factors, including delays in updating records.
React to this headline: