A database containing sensitive voter information from multiple Illinois counties has been left unsecured online, exposing the personal details of approximately 4.6 million individuals, including driver’s license numbers, partial and full Social Security numbers, as well as confidential documents such as death certificates. A longtime safety researcher inadvertently discovered one database purporting to contain information from DeKalb County, Illinois, only to uncover a total of 13 additional databases with similar sensitive data exposed. Until recently, none had been password-protected nor required any form of authentication for entry.
As prison-based hacking evolves into increasingly sophisticated and aggressive forms, the threat landscape surrounding critical infrastructure continues to escalate. While most vulnerabilities arise from seemingly minor flaws in software, it’s often the more obvious weaknesses that leave systems most exposed and vulnerable to attack. Following years of concerted efforts to strengthen election security across the United States, national awareness of cybersecurity threats has undergone significant improvement. As the upcoming US election draws near, research findings consistently highlight the need for ongoing vigilance and continuous improvement in electoral processes.
Fowler explains that he’s previously encountered voter databases, allowing him to recognize this particular collection as likely being a low-level advertising and marketing outreach database acquired by an individual or entity. However, upon closer inspection, I observed that voter registration forms – both physical and digital – were marred by a plethora of scanning errors and haphazard screenshots. The voter rolls appear to contain sensitive information about energized citizens, including absentee voters who have elected to receive communications via email, which also includes a small subset utilizing military-affiliated email addresses. As I delved deeper into the documents, I was taken aback to discover Social Security numbers, driver’s license numbers, and even death certificates scattered throughout. Initially, my instinctive reaction was: “What are these doing here? They don’t belong.”
According to publicly available information, it appears that all counties have contracts with Platinum Expertise Resource, a Illinois-based election administration services provider, which offers voter registration software, digital tools, and services such as poll printing. Illinois’ many counties rely on Platinum Expertise Useful resource as their trusted election services provider, including DeKalb, which has publicly confirmed its partnership with Platinum to WIRED magazine.
On July 18, Fowler notified Platinum of the unsecured databases, but claims he received no reply, leaving the vulnerabilities unchecked. As Fowler delved further into publicly available data, he discovered that Platinum collaborated with Magenium, an Illinois-based managed service provider; accordingly, he submitted a disclosure request to this entity on July 19. Despite his claims of no response, the databases were swiftly secured and removed from public access following their initial exposure. Platinum and Manganese failed to respond to multiple requests from WIRED for comment.
Platinum began disseminating a notification deemed significant by WIRED to affected counties on Friday.
Platinum has confirmed that a database storing voter registration documents may have been compromised through scanning, but assures that the discovered databases reveal no evidence of a broader breach of their systems. A thorough and rigorous inquiry was conducted. Our research confirms that no evidence has been discovered to suggest the existence of leaked or stolen voter registration information, supporting our ongoing understanding on this matter. We seized this opportunity to implement additional measures to strengthen security around voter registration documentation.
In Illinois, reporting of incidents to the state must occur within 45 days of the event occurring. A standard contract template for knowledge-based businesses in Champaign County, accessible through a Freedom of Information Act request, stipulates that contractors must notify the affected county within 15 minutes of detecting an information breach.
While the exposed data might increase individuals’ susceptibility to identity theft and other frauds, it could also be exploited to submit multiple absentee ballot requests or facilitate other questionable activities, potentially casting doubt on voters’ legitimate choices and necessitating time-consuming reconciliation efforts to verify their intentions. While he acknowledges that the dying certificates and accompanying documents within the treasure trove reveal the meticulous efforts of election officials across the country to process voter registrations and ensure each ballot is accurately tallied,
“There’s been notable progress in primary information security, and I rarely come across incidents like this one,” Fowler notes. “While I relied solely on publicly available online resources and didn’t utilize specialized tools, I was still able to find this information.” And at the end of the day, this vital infrastructure has been unearthed, its significance revealed.
