Stolen California Voter Database Held For Bitcoin Ransom

An Amazon AWS server believed to contain files on all of California's registered voters was left exposed this year due to a misconfigured database, according to researchers at the Kromtech Security Center. The database was later stolen by cybercriminals demanding a ransom only payable in bitcoin.

Kromtech told Gizmodo that it collected samples from the database earlier this year while examining thousands of servers left publicly exposed. Each of the servers had installed a database platform known as MongoDB, which was widely misconfigured and vulnerable to attack.

While re-examining the data samples earlier this month, Kromtech discovered what appeared to be 4GB of voter files linked to the State of California. By that time, however, the server had been swept up in a wave of ransomware attacks, which reportedly infected more than 32,000 MongoDB installations as early as January 2017.

Owners of the stolen database were confronted with a ransom note, which read, "Your DataBase is downloaded and backed up on our secured servers. To recover your lost data: Send 0.2BTC to our BitCoin Address and Contact us by eMail with your MongoDB server IP Address and a Proof of Payment. Any eMail without your MongoDB server IP Address and a Proof of Payment together will be ignored. You are welcome!"

Kromtech previously identified a hacking group called Harak1i1 as responsible. A second group, called Own3d, was also identified, as well as a third known only as 0704341626asdf.

Redacted voter file discovered by Kromtech

The researchers had acquired just 20 record samples out of more than 19 million before the deletion occurred -- as well screenshots of the server's file structure -- but they said it would be nearly impossible now to determine who owned the files. The researchers told Gizmodo they were in contact with the California Secretary of State's office last week and were informed the incident is under investigation.

The California Secretary of State's office sent Gizmodo the following statement:

"We are looking into unconfirmed reports that a third party may have uploaded some California voter information in an unsecure location online. We take any allegation of improper use of voter data very seriously, and have enlisted the support of law enforcement. There is no evidence that any of the Secretary of State's systems have been hacked or breached or that any confidential information such as social security numbers, driver's licence numbers, state ID numbers, or voter signatures were disclosed.

Under state law, limited voter data is made available for restricted use by campaigns, journalists, and academic researchers. It is illegal under state law to share or obtain this data without authorisation."

According to Kromtech, one of the databases appeared to contain roughly 19.2 million voter records. According to recent election data, there are 19.4 million registered voters in California.

The sample records contain a variety of identifiable information, including the names, addresses, phone numbers, dates of birth, and precincts of California voters. It did not appear to contain Social Security numbers or financial data of any kind.

A second and much larger database (22GB) contains more than 409 million records, which include district information such as county codes and registrant ID numbers.

The voter files were also marked with an "extract date" of May 31, 2017, Kromtech researchers said, indicating that the database was likely created this spring, though the origin of the data remains a mystery.

"This is a massive amount of data and a wake-up call for millions of citizens of California who have done nothing more than fulfil the civic duty to vote," said Bob Diachenko, Kromtech's head of communications, who emphasised the threat of identity theft posed by the exposure of raw voter data.

"This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data," he said. "The MongoDB was left publically available and was later discovered by cyber criminals who used ransomware to steal the data and try to extort their victims in to paying to recover their files."