154 Million Voter Records Exposed Due To Database Error

blottsie writes: Chris Vickery, a security researcher at MacKeeper, has uncovered a new voter database containing 154 million voter records, exposed as a result of a CouchDB installation error. The database includes names, addresses, Facebook profile URLs, gun ownership, and more. Who exposed the voter database? Vickery believes the suspect may be linked to L2, a company specializing in voter data utilization, after he noticed that the voter ID field was labeled "LALVOTERID." After calling the company, L2 said the database likely belongs to one of their clients, noting that there are very few clients big enough to have a national database like that. The database was secured within three hours of their phone call. L2's CEO Bruce Willsie said that the client told L2 that they were hacked and the firewall had been taken down. Their client is conducting their own research to figure out the extent of the incursion. The Daily Dot reports: "Why does this keep happening, and what is our government doing about it? No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general."

Why? Because they can't do it themselves

[John+Jorsett]

The feds do a lousy job of it themselves, in fact a much worse job. The Office of Personnel Management leak exposed millions of security-cleared personnel's records, including mine. I've already had somebody try to get credit in my name, probably from that breach (but could be from one that my former employer suffered as well). The OPM leak contained exponentially more revealing info than this one. I haven't heard of anyone getting fired for it, either, just the director getting to "step down". BFD.

So ALL the voters?

As of a couple years ago there were 146 million registered voters in the US. A 150m+ breach means EACH AND EVERY VOTER IN THE UNITED STATES.

Because US privacy laws suck

[cliffjumper222]

For comparison, while data protection and privacy are fundamental rights in the EU, there is no equivalent protection in the US.

EU data protection consists of several principles, which include, rules on data quality standards, on sensitive data, independent supervision, the purpose limitation principle, rules on inter-agency exchange or transfer of data to third states, time limits for the retention of data, effective judicial review and access possibilities, independent oversight, proportionality elements, notification requirements after surveillance or data breaches, access, correction and deletion rights as well as rules on automated decisions, data security as well as technical protection. These rights and principles are subject to restrictions, but these restrictions are limited by proportionality elements and are continually subject to judicial review. Some of these EU rights, such as notification, supervision or judicial review can also be found in certain US Acts, for instance in the ECPA, however, they only exist in a mitigated form.

Most of the EU data protection guarantees simply do not exist in US law. Good for businesses, bad for humans.