WASHINGTON (12/29/15)--A database holding personally identifiable information for 191 million registered U.S. voters was discovered by a security researcher to be accessible and open to all.
The misconfigured database--whose ownership was unclear--was revealed by Chris Vickery who reported it to DataBreaches.net (Forbes Dec. 28).
The database contains a voter's full name (first, middle and last), home address, mailing address, unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for the National Do Not Call Registry, political affiliation and a detailed voting history since 2000.
Voter registration lists are a matter of public record in many states--some of which have regulations restricting access and use. South Dakota requires those who request the data to sign a statement that the data may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the Internet. Likewise in California, voter data may only be used for political purposes and may not be made available to persons outside of the United States (CSO Dec. 28).
The data does not contain financial data or Social Security numbers.
However, the personal information in this database, including political affiliation and date of birth, could be used to construct a targeted phishing campaign, warned CSO’s Steve Ragan. “While most people are aware of financially based phishing attacks, or those focused on retail or shipping, a targeted list based on politics might have a higher level of success, especially this time of year heading into the 2016 election cycle.”