Updated A database with personal information on 191,337,174 US voters has apparently been found unprotected online by a security researcher in Texas.
Austin-based Chris Vickery – who earlier this month found records on 3.3 million Hello Kitty users splashed online – says the wide-open system contains the full names, dates of birth, home addresses, and phone numbers of voters, as well as their likely political affiliation and which elections they have voted in since 2000.
Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is required to query all 300-plus gigabytes stored within.
The researcher believes the database holds details for every registered voter in the US, and confirmed the records held on him in the system are accurate – as are those of serving and former police officers, which is one immediate concern.
"Oh man. I deal with criminals every day who know my name," a cop, who was alerted to the leaky database, told Databreaches.net.
"The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable. I'm also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business."
To be fair, this security blunder isn't the end of the world: the information held in the database can be accessed by any citizen one way or another as a matter of public record. However, it's not really supposed to be put online in bulk like this for everyone on the planet to see so easily.
US states have different rules governing the release of voter information. For example, while places like Ohio and North Carolina put voter information online for free, California bans the distribution of this data outside America, and South Dakota forbids the publishing of voter records on the web.
Vickery dickery shock ... Voting facts up for grabs (Source: databreaches.net)
The database most likely belongs to a political pollster, although the source hasn't been identified. Vickery says he's been trying to get the insecure system shut down for over a week.
"The alarming part is that the information is so concentrated," he said. "I want our society to respect privacy more. We need serious referendum on the way private data is handled." ®
Updated to add
We're told the database was a poorly securely MongoDB store – there are plenty of them online, unfortunately.