154 Million Voter Records Exposed Due To Database Error

blottsie writes: Chris Vickery, a security researcher at MacKeeper, has uncovered a new voter database containing 154 million voter records, exposed as a result of a CouchDB installation error. The database includes names, addresses, Facebook profile URLs, gun ownership, and more. Who exposed the voter database? Vickery believes the suspect may be linked to L2, a company specializing in voter data utilization, after he noticed that the voter ID field was labeled "LALVOTERID." After calling the company, L2 said the database likely belongs to one of their clients, noting that there are very few clients big enough to have a national database like that. The database was secured within three hours of their phone call. L2's CEO Bruce Willsie said that the client told L2 that they were hacked and the firewall had been taken down. Their client is conducting their own research to figure out the extent of the incursion. The Daily Dot reports: "Why does this keep happening, and what is our government doing about it? No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general."

Why does it keep happening?

[hrieke]

My flippant answer:
Cause companies refuse to pay market rate for those who actually know how to secure these things , & pay for the hardware and services.

Honestly however, this is not a government issue, this is a private industry issue, and it's going to cost money.

Re:Why does it keep happening?

[plopez]

In software there are no consequences for idiocy. There are no laws governing the quality of software, e.g. requiring warranties or health and safety laws. In addition Software "Engineers" are not true engineers as there is no licensing procedure and unlike true engineers no liability for a poor design. So these so called Software "Engineers" can slap code together and get away with out getting sued. The same is true of Network "Engineers", Security "Engineers" etc.

There is no such thing as "Software Engineering".

Re:Why does it keep happening?

[The-Ixian]

This reminds me of the time that I worked in the returns department of a consumer goods manufacturing company.

The product was good but all I ever saw was the crap. Pallets and pallets of non-working things.

I didn't have a very good opinion of the company's product at that time.

However, the number of items returned was a tiny fraction of the amount of product sold.

My point is that when all you hear about is breach after breach, it is easy to come to the conclusion that everything is easily breached.

I don't think that is true. Just think about all of the databases in the world.

I would be willing to bet that the odds of being breached are still fairly low if you actually spend the resources on taking reasonable security measures.

I think that what we are seeing is an intersection between growing computer savvy (as everyone who grows up with the technology really grok it) and status quo (legacy) network concepts.

I think it is absolutely possible to secure a network if the will to do it is there.

Re:Why does it keep happening?

[CaptainDork]

This.

Data breaches will halt very soon after litigation becomes the norm.

At this writing, gatekeepers are not held responsible.

For every breach, the custodian of the data should pay out the nose.

Until then?

Yawn.

Because "Oops"

[penguinoid]

The reason it keeps happening is that when it happens, the CEO (who, incidentally, decided that security was an expense to be minimized) merely says "Oops, sorry." and then there are no consequences.

Re:Because "Oops"

[quantaman]

The reason it keeps happening is that when it happens, the CEO (who, incidentally, decided that security was an expense to be minimized) merely says "Oops, sorry." and then there are no consequences.

I think that's it. It's not that companies don't care about security, it's just that they can't really afford to care that much. Good security doesn't make them any money and bad security doesn't cost that much, in a world of finite resources the things with poor ROI are the ones that get neglected.

Re:Because "Oops"

[plopez]

What needs to happen is that failure must be made expensive.

Why? Because they can't do it themselves

[John+Jorsett]

The feds do a lousy job of it themselves, in fact a much worse job. The Office of Personnel Management leak exposed millions of security-cleared personnel's records, including mine. I've already had somebody try to get credit in my name, probably from that breach (but could be from one that my former employer suffered as well). The OPM leak contained exponentially more revealing info than this one. I haven't heard of anyone getting fired for it, either, just the director getting to "step down". BFD.

So ALL the voters?

As of a couple years ago there were 146 million registered voters in the US. A 150m+ breach means EACH AND EVERY VOTER IN THE UNITED STATES.

Re: So ALL the voters?

What voter database contains gun ownership?

There was no installation error

[campuscodi]

From the article: "Willsie stated that the client told L2 that they were hacked and the firewall had been taken down. The client was now conducting their own research to determine the extent of the incursion." It was a hack, not an installation error.

Re:There was no installation error

[plopez]

Unless the installation was so negligent it allowed an attack. This is clearly a case of trotting out the Evil Hackers(tm) to deflect focus on the company's stupidity.

publicly available information

[clovis]

People keep saying it was gathered from publicly available databases.

What publicly available database has gun ownership? Neither the states nor the feds knows who owns guns. It's against the law (I know, lol) for them to maintain a database of gun owners.

And how about household income? Where can a person get the household income of other people from a publicly available database?

Mackeeper = Malware

[MacColossus]

Mackeeper is the number 1 source of adware and malware on the Mac. This "security researcher" works for a company that is evil as f*ck. I'm guessing he hacked and shared the database and then claimed white hat glory for finding the breach. SMH.

Re:Mackeeper = Malware

[tgv]

Was going to write the same. MacKeeper is paid malware, plain and simple. I don't know why they'd have security researchers, nor why such a researcher would be interested in such matters.

Because US privacy laws suck

[cliffjumper222]

For comparison, while data protection and privacy are fundamental rights in the EU, there is no equivalent protection in the US.

EU data protection consists of several principles, which include, rules on data quality standards, on sensitive data, independent supervision, the purpose limitation principle, rules on inter-agency exchange or transfer of data to third states, time limits for the retention of data, effective judicial review and access possibilities, independent oversight, proportionality elements, notification requirements after surveillance or data breaches, access, correction and deletion rights as well as rules on automated decisions, data security as well as technical protection. These rights and principles are subject to restrictions, but these restrictions are limited by proportionality elements and are continually subject to judicial review. Some of these EU rights, such as notification, supervision or judicial review can also be found in certain US Acts, for instance in the ECPA, however, they only exist in a mitigated form.

Most of the EU data protection guarantees simply do not exist in US law. Good for businesses, bad for humans.

WTF

[GrandCow]

>Chris Vickery, a security researcher at MacKeeper

Are you fucking kidding me?

An article quotes someone who is a "security researcher" for one of the biggest malware companies plaguing macs, and instead of being told to eat every dick on the planet, they're given a link on slashdot so they look somewhat legitimate??? GREAT FUCKING JOB!

More exclusive than the one-percenters

[lucm]

They think only white men that own land can vote.

It's been infiltrated and corrupted by commies and anarchists over the years so it lost its purity, but that's the spirit of the electoral college.

Voter registrations are NOT private

[T.E.D.]

Note that a state's voter registration records are NOT private data. Its public record, and anybody has a right to ask for it. For example, here's a link to where you can get the entire registration database for my state.

Voter registration records include voters' name, address, date of birth, political affiliation, voter ID number, precinct and voting history, technology center district, school district and municipality.

I used to have a copy for my precinct on my hard-drive. A candidate just up and emailed it to me, unasked.