Security researchers have discovered that the personal data of over 1.8 million Chicago voters was accidentally exposed online by a voting machine supplier. A data repository containing backup files of voter information was found publicly available on an Amazon Web Services server last week, cybersecurity firm UpGuard revealed on Thursday.
Owned and operated by Omaha-based firm Election Systems & Software (ES&S), which helps maintain Chicago's electronic poll books, the database included voters' names, addresses, phone numbers, partial Social Security numbers, and in some cases, driver's license and state ID numbers that seemed to have been produced around the time of the November 2016 election.
The exposed cache was discovered by UpGuard researcher Jon Hendren and was configured for public access, potentially allowing anyone accessing the S3 bucket's web address to view and download its contents.
After UpGuard's director of Cyber Risk Research Chris Vickery analysed the data, local and Illinois state authorities were notified. The files were immediately secured and the server was shut down on Saturday after ES&S was alerted to the leak.
It is still unknown when the files were uploaded to the unsecured server, how long the files were publicly available online or whether they were accessed by any potentially malicious actors.
ES&S has launched a "full investigation" into the leak assisted by a third-party firm "to perform thorough forensic analyses of the AWS server".
"The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems", ES&S said in a blog post. "These back-up files had no impact on any voters' registration records and had no impact on the results of any election."
The firm is also currently reviewing all procedures and protocols, including those of its vendors, to make sure that its systems and data are secured and prevent any similar incidents in the future.
Chicago elections board spokesman Jim Allen said they are currently figuring out how to notify and offer remedies to residents affected by the leak.
"The expense for that is going to be borne by ES&S," Allen said, Chicago Tribute reports. "This was a violation of the contract terms that explicitly lay out the requirement to safeguard the voters' data."
Chicago Election Board Chairwoman Marisel Hernandez said in a statement: "We are deeply troubled to learn of this incident, and very relieved to have it contained quickly. We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S' AWS server.
"We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again."
The latest incident comes amid growing concerns over cloud and digital security following multiple data leaks and exposures in recent months, often due to cloud configuration errors made by third-party vendors.
"As more and more functions of daily life shift to a digital footing, so too grows the surface for a potential cyber attack, no matter whether this cyber risk is shifted off to a third-party vendor," UpGuard researchers said. "Cyber risk is business risk, and a third party vendor's cyber risk is the main enterprise's business risk as well.
"For real cyber resilience to take hold, IT enterprises must begin to craft processes capable of checking and validating any such openings before it reaches the public internet, lest the barn door be closed only after the horse has bolted."