An Amazon AWS server believed to contain files on all of California’s registered voters was left exposed this year due to a misconfigured database, according to researchers at the Kromtech Security Center.
The database was later stolen by cybercriminals demanding a ransom only payable in bitcoin. Kromtech told that it collected samples from the database earlier this year while examining thousands of servers left publicly exposed. Each of the servers had installed a database platform known as MongoDB, which was widely misconfigured and vulnerable to attack.
While re-examining the data samples earlier this month, Kromtech discovered what appeared to be 4 GB of voter files linked to the State of California. By that time, however, the server had been swept up in a wave of ransomware attacks, which reportedly infected more than 32,000 MongoDB installations as early as January 2017. Owners of the stolen database were confronted with a ransom note, which read, “Your DataBase is downloaded and backed up on our secured servers.
To recover your lost data: Send 0.2 BTC to our BitCoin Address and Contact us by eMail with your MongoDB server IP Address and a Proof of Payment. Any eMail without your MongoDB server IP Address and a Proof of Payment together will be ignored. You are welcome!”
Kromtech previously identified a hacking group called Harak1i1 as responsible. A second group, called Own3d, was also identified, as well as a third known only as 0704341626asdf.
The researchers had acquired just 20 record samples out of more than 19 million before the deletion occurred—as well screenshots of the server’s file structure—but they said it would be nearly impossible now to determine who owned the files. The researchers told Gizmodo they were in contact with the California Secretary of State’s office last week and were informed the incident is under investigation.
The California Secretary of State’s office was not immediately available for comment. We will update when we hear back. According to Kromtech, one of the databases appeared to contain roughly 19.2 million voter records. According to recent election data, there are 19.4 million registered voters in California.
The sample records contain a variety of identifiable information, including the names, addresses, phone numbers, dates of birth, and precincts of California voters. It did not appear to contain Social Security numbers or financial data of any kind. A second and much larger database (22 GB) contains more than 409 million records, which include district information such as county codes and registrant ID numbers.
The voter files were also marked with an “extract date” of May 31, 2017, Kromtech researchers said, indicating that the database was likely created this spring, though the origin of the data remains a mystery. “This is a massive amount of data and a wake-up call for millions of citizens of California who have done nothing more than fulfill the civic duty to vote,” said Bob Diachenko, Kromtech’s head of communications, who emphasized the threat of identity theft posed by the exposure of raw voter data.
“This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data,” he said. “The MongoDB was left publically available and was later discovered by cyber criminals who used ransomware to steal the data and try to extort their victims in to paying to recover their files.”
The California Secretary of State’s office sent Gizmodo the following statement:
Download SafeUM — communicate privately, without advertising and spam.