Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records

Personal info spills from another poorly secured Amazon service


A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage.

ES&S says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters' names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers' licenses and state ID numbers.

"The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems," ES&S said in a statement on Thursday.

"These back-up files had no impact on any voters' registration records and had no impact on the results of any election."

According to ES&S, it was alerted at 5.37pm on August 12 when, as part of a larger project to seek out sensitive data insecurely hosted on AWS, Vickery notified the company it had left its voter records out in the open. The cloud system was taken down four hours later. The biz, which supplies voting machines and backend services to more than 40 US states, is investigating the cockup.

A spokesperson for UpGuard confirmed to The Register that the vulnerable service was an AWS S3 silo accidentally set up to be open to the public. Strangely, only Chicago's data was exposed by a misconfiguration.

"We can't determine why the data exposed was only Chicago other than the bucket name, 'Chicagodb'. Our cyber risk team checked for other cities but came up empty," UpGuard's Kelly Rethmeyer told us.

Chicago's election board, meanwhile, says it is "deeply troubled" to hear of the exposure, but applauded ES&S for taking quick action.

"We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server," said Chicago Election Board chairwoman Marisel Hernandez in a statement.

"We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”

This isn't the first time UpGuard found voter data sitting out in the open on AWS. Earlier this year the security firm caught a Republican analytics company who failed to put any access restrictions on an S3 instance that contained the personal details of nearly 200 million US voters within a 1.1TB database collected prior to the 2016 presidential election. ?

Biting the hand that feeds IT ? 1998–2017

  • 305452893 2018-01-22
  • 61770892 2018-01-22
  • 59080891 2018-01-22
  • 87471890 2018-01-22
  • 79096889 2018-01-22
  • 734763888 2018-01-22
  • 455411887 2018-01-22
  • 685280886 2018-01-22
  • 615657885 2018-01-22
  • 700163884 2018-01-21
  • 866691883 2018-01-21
  • 994750882 2018-01-21
  • 92145881 2018-01-21
  • 263961880 2018-01-21
  • 5823879 2018-01-21
  • 202428878 2018-01-21
  • 235407877 2018-01-21
  • 949120876 2018-01-21
  • 530375875 2018-01-21
  • 14090874 2018-01-21