A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage.
ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters' names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers' licenses and state ID numbers.
"The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems," ES&S said in a statement on Thursday.
"These back-up files had no impact on any voters' registration records and had no impact on the results of any election."
According to ES&S, it was alerted at 5.37pm on August 12 when, as part of a larger project to seek out sensitive data insecurely hosted on AWS, Vickery notified the company it had left its voter records out in the open. The cloud system was taken down four hours later. The biz, which supplies voting machines and backend services to more than 40 US states, is investigating the cockup.
A spokesperson for UpGuard confirmed to The Register that the vulnerable service was an AWS S3 silo accidentally set up to be open to the public. Strangely, only Chicago's data was exposed by a misconfiguration.
"We can't determine why the data exposed was only Chicago other than the bucket name, 'Chicagodb'. Our cyber risk team checked for other cities but came up empty," UpGuard's Kelly Rethmeyer told us.
Chicago's election board, meanwhile, says it is "deeply troubled" to hear of the exposure, but applauded ES&S for taking quick action.
"We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server," said Chicago Election Board chairwoman Marisel Hernandez in a statement.
"We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”
This isn't the first time UpGuard found voter data sitting out in the open on AWS. Earlier this year the security firm caught a Republican analytics company who failed to put any access restrictions on an S3 instance that contained the personal details of nearly 200 million US voters within a 1.1TB database collected prior to the 2016 presidential election. ®