Contractor's Unsecured Databases Exposed Sensitive Voter Data in Over a Dozen Illinois Counties
Published on September 18 2024 2:33 pm
Last Updated on September 18 2024 2:34 pm
Examples of redacted documents found by Jeremiah Fowler in unsecured databases. (Illustration by Capitol News Illinois)
By ANDREW ADAMS
Capitol News Illinois
aadams@capitolnewsillinois.com
Around 4.6 million records associated with Illinoisans in over a dozen counties – including voting records, registrations and death certificates – were temporarily available on the open internet, according to a security researcher who identified the vulnerability in July.
The documents were available through an unsecured cloud storage platform. They included Social Security numbers, dates of birth, addresses and voter registration history.
Election security experts said the breach is unlikely to affect the upcoming election but could make affected individuals susceptible to identity theft.
The researcher, Jeremiah Fowler, has also identified similar data vulnerabilities which exposed thousands of rail passengers’ travel details in the United Kingdom and over 4 million student records in the U.S., among others.
“It’s probably some of the most sensitive voter data I've seen,” Fowler told Capitol News Illinois. “And I've been doing this around 10 years.”
Fowler identified 15 unsecure databases before contacting several county clerks and eventually a technology vendor that is contracted to provide services for those counties.
Fowler told Capitol News Illinois that the list of counties affected include Alexander, Boone, Champaign, DeKalb, Effingham, Gallatin, Hamilton, Henry, Jefferson, Ogle, Pike, Sangamon, St. Clair, Williamson and Winnebago.
He traced the issue to Platinum Technology Resource, an elections technology company based in Batavia. It is unclear if anyone other than Fowler accessed the information, although Platinum has denied that any voter registration forms were “leaked or stolen.”
Capitol News Illinois contacted county clerks in all of the counties Fowler identified. All but one, Alexander County, responded and indicated they had been in communication with Platinum about the issue. One other county, Henry, denied that they were affected by the incident.
St. Clair County was also named in a separate report from Cybernews, a cybersecurity news and research company, that alleges 470,000 records were exposed in a similar incident earlier this year.
That report said the exposed data included online voter applications and change-of-address forms that included Social Security numbers, dates of birth, names, current and former addresses, driver’s license numbers, contact information, and more.
When asked about the Cybernews report, St. Clair County Clerk Thomas Holbrook referred Capitol News Illinois to Platinum, but didn’t comment further on the issue. Platinum Chief Operating Officer Jay Bennett said the company “has no knowledge or involvement” of the March incident.
Platinum’s website indicates it currently contracts with 20 election authorities around Illinois. A Capitol News Illinois review of 12 of its contracts showed they had a cumulative value of more than $1.7 million of annual license fees ranging from about $4,500 to $58,000.
Some counties also contract with Platinum for election night support and other services. In St. Clair County, these services cost more than $130,000 per election.
Fowler said he reported the vulnerability to Platinum on July 18 but did not receive a response. Bennett said Platinum was unable to reach Fowler after he reported the incident.
Fowler then reported the issue to Magenium, Platinum’s IT services provider, on July 19. He then spoke to an individual at Magenium, who confirmed the databases were secure, before he published a report with his findings on Aug. 2.
This is in line with guidance from the Association for Computing Machinery's Committee on Professional Ethics, which advises those who identify vulnerabilities within computer systems to notify those responsible for maintaining those systems before making their findings public.
“At the end of the day, it’s not about naming and shaming contractors,” Fowler said. “Every company does the best they can. It’s about identifying, strengthening the system and learning from it.”
A county clerk alerted the Illinois State Board of Elections of the situation, according to board spokesperson Matt Dietrich. The board, which does not contract with Platinum, alerted county clerks of the situation on July 19.
Platinum distributed a notification to impacted counties in early August, two weeks after being initially notified.
“We have evidence of a claim the file storage containing voter registration documents may have been scanned,” the company wrote in a message obtained by Capitol News Illinois. “The containers are securely segregated from the overall system, which we can assure you has not been scanned or accessed.”
In its message to affected counties, the company also said it “used this opportunity to deploy new and additional safeguards around voter registration documents,” although it did not describe those safeguards.
In an email to Capitol News Illinois, Bennett said that upon being notified of the database misconfiguration, Platinum and Magenium took “immediate steps to quickly investigate and remedy” it.
Bennett declined to comment on what proactive steps the company has taken to secure other databases, noting that doing so “may pose a risk and potentially compromise” the security of its clients.
Several county clerks said they had received assurances from Platinum that the issue had been resolved shortly after the situation was made public.
“We always take any type of accusation seriously,” Winnebago County Clerk Lori Gummow said in an August interview.
Gummow also noted that the Winnebago County state’s attorney and county board members were aware of the situation and that the company assured her that it has “high confidence” that Winnebago County records had not been accessed.
Other county clerks, including those in DeKalb and Williamson, referred the situation to their local state’s attorney.
Some county clerks expressed concern that this would provide reason for doubt among voters, some of whom are already suspicious of election officials.
“I can guarantee our elections are run correctly,” Gallatin County Clerk Deanna Bryant said. “But not everyone believes that. We don’t need more scrutiny.”
Independent election security experts said the issue was concerning, but didn’t appear to pose a threat to this year's election.
“This is a serious issue – potentially, we don’t know all the details of it – relating to identity theft and the security of personal data,” David Becker, head of the Center for Election Innovation & Research said at a September media briefing. “This does not appear to be an issue that impacts election administration.”
Fowler noted in an interview that the information that was publicly available “would have given all the information to commit identity theft.” He also shared concerns that hackers in other countries could use this type of information for nefarious purposes.
The Illinois attorney general advises those who suspect that they might be the victim of identity theft to report any fraudulent charges to creditors, place a fraud alert on your credit reports, file a police report and consider freezing your credit altogether. The AG’s office also maintains an identity theft hotline for victims at 1-866-999-5630.
Consumers can also order free personal reports from the major consumer credit reporting agencies – Equifax, Experian and TransUnion – by visiting their websites individually or by visiting annualcreditreport.com.
Other county clerks in Illinois said this reflects the changing nature of election oversight.
“I never would have imagined being a cyber expert and that’s what elections officials have to be,” Sangamon County Clerk Don Gray said.
Illinois election officials suffered a serious data breach in 2016 after Russian agents targeted the Illinois Board of Elections and accessed 76,000 voter records.
In response to that breach, the state launched the “Cyber Navigator Program” in 2018 to provide cybersecurity training to election authorities around the state. The program has since expanded to offer services to other local units of local government.
No state-level data breaches have occurred since then, according to Dietrich.
Capitol News Illinois is a nonprofit, nonpartisan news service covering state government. It is distributed to hundreds of print and broadcast outlets statewide. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation, along with major contributions from the Illinois Broadcasters Foundation and Southern Illinois Editorial Association.