Over 19 million California voter records leaked by Sacramento Bee, quickly held for ransom by hackers

The Sacramento Bee accidentally leaked a database containing more than 19 million California voters' records online before it was promptly hijacked and locked down by opportunistic hackers for ransom. The local newspaper said in a statement that a firewall protecting the database was not restored by a third-party vendor during routine maintenance, leaving the records of 19,501,258 voters publicly exposed for two weeks.

The data, legally obtained by The Bee for reporting purposes, included voters' names, addresses, dates of birth, political affiliation and other voter details. A separate database that contained the names, home addresses, email addresses and phone numbers of 53,000 current and former Sacramento Bee subscribers who signed up for the paper prior to 2017 was also compromised.

Kromtech Security Center researchers first spotted the exposed 95.1GB MongoDB database on 31 January and notified the newspaper of the breach, but did not receive an immediate response.

It did not take time for hackers to discover the error, encrypt the exposed data and demand a ransom in Bitcoin in exchange for the stolen database. The Sacramento Bee did not pay the ransom and has since deleted the databases, the paper's president and publisher Gary Wortel said.

He noted that the databases did not include any sensitive financial data, Social Security numbers, credit card details or bank account information.

"We take this incident seriously and are working with the Secretary of State's office to share with them the details of this intrusion," Wortel said.

The Secretary of State's said it is taking the breach "very seriously" and is currently working with The Sacramento Bee and its parent firm The McClatchy Company "to gain a full picture of this incident".

"It is important to emphasize that no confidential information – such as social security numbers, driver's license numbers, state ID numbers, or voter signatures – is ever provided in response to a request for the state voter file," the Secretary of State's office said. "Those with access to the voter file have a responsibility to take the necessary measures to protect voter data, wherever and however it is used, and to report any compromises to the Secretary of State's office and law enforcement in a timely manner."

This isn't the first time Californian voters' records have been exposed and compromised by cybercriminals in recent months.

In December, Kromtech discovered another unprotected MongoDC database named "cool_db" that contained the personal data of every voter in California that could be accessed by anyone with an internet connection. In that case, the database was deleted by hackers and replaced with a ransom note demanding 0.2 bitcoin ($2,325 at the time). It is still unclear who that database belonged to.

It is not immediately clear if the same threat actors targeted Californians' voter records in both incidents.

"Unfortunately, businesses and organizations continue disregard basic security rules when it comes to cloud repositories with a public-facing interface," Kromtech's Bob Diachenko wrote. "Misconfigured MongoDBs and AWS S3 buckets are among the most reported cases of data leaks for the last year and 2018 seems to be another challenging year for companies struggling to keep their data safe but forgetting about simple cyber hygiene rules."

Brian Contos, chief information security officer of security firm Verodin, said it is crucial for firms to constantly shore up their security measures and "move beyond assumption-based security".

"They need to be able to communicate to stake holders the state of security effectiveness with empirical, evidence-based data, not assumptions," Contos told IBTimes UK. "Without validation of security controls, organizations will be lucky to prevent or detect more than about a quarter of all attacks."