Last month, a local California newspaper left more than 19 million voter records exposed online. Gizmodo confirmed this week that the records were compromised during an apparent ransomware attack.
The Sacramento Bee said in a statement that a firewall protecting its database was not restored during routine maintenance last month, leaving the 19,501,258 voter files publicly accessible. Additionally, the names, home addresses, email addresses, and phone numbers of 52,873 Sacramento Bee subscribers were compromised.
“We take this incident seriously and have begun efforts to notify each of the individuals on the contact list and to provide them resources to help guard against potential misuse of their personal contact information,” the paper said in a statement. “We are also working with the Secretary of State’s office to share with them the details of this intrusion.”
The Kromtech Security Center first discovered the data on January 31st and reviewed records from several of the exposed databases before determining who owned the data. Kromtech reached out immediately to multiple employees in the Bee’s IT department but received no response.
Gizmodo was notified about the breach on February 2nd and reached out to an executive editor at the Bee. Our email was not returned. After emailing two other members of the Bee’s editorial board on Monday—including Gary Wortel, the paper’s president and publisher—Gizmodo was contacted by a public relations director at The McClatchy Company, the Bee’s owner.
A McClatchy spokesperson said the executive editor first contacted by Gizmodo had left the paper day our email was sent.
McClatchy provided an initial statement on Tuesday, saying it had “strict protocols in place to ensure the security of our data” and that it was “aware of a ransomware attack on one of our servers that was located outside our core IT structure.” The spokesperson added: “We know that in databases apparently targeted, no personally identifiable information, as defined by the State of California, was involved.”
Below is a sample of a leaked voter record, with personal information redacted. It contains the voter’s name, phone number, address, gender, date of birth, political affiliation, among other election-related details.
The subscriber database includes only residents who subscribed to the paper prior to 2017, the paper said.
Another database labeled “users” contained approximately 55,000 records. Samples provided by Kromtech revealed names, email addresses, and IP addresses.
The Bee said it did not pay the ransom and instead deleted the databases to prevent further intrusions.
On Tuesday afternoon, McClatchy requested additional time to investigate the intrusion. Gizmodo agreed and asked for additional details about the type of ransomware involved. The hope was to determine whether the ransomware used in the attack was the same variety involved in a separate recent incident, which compromised 19.2 million California voter records in December.
The question is whether the same actor is targeting California voter records specifically. It is also possible the incidents are unrelated.
However, the Bee did not provide Gizmodo with additional information about the ransomware. Instead, on Wednesday night, without notice, the paper ran its own story about the breach. “I hope you understand that our executive team felt strongly that the Bee should inform its readership, some of whom may be affected by this intrusion, as soon as we felt we understood the boundaries of the incident,” the McClatchy spokesperson said after the publication of the Bee’s story.
“California law provides prohibitions and criminal penalties for the misuse or improper acquisition of voter registration information,” a spokesperson at the California Secretary of State’s office told Gizmodo on Tuesday.
Under state law, access to voter data is restricted; however, journalists, political campaigns, and academic researchers can acquire the data for certain purposes. The data provided does not include Social Security numbers, driver’s license numbers, or state ID numbers. Sharing the data or obtaining it without authorization is illegal.
California’s administrative and election codes appear written primarily to penalize individuals who acquire voter data without permission or use it in unauthorized ways, such as for commercial gain. It’s unclear if those rules and the corresponding penalties apply to those who negligently handle voter data or allow unauthorized persons to access it unintentionally.
In a statement published by the Bee, the Secretary of State’s office said: “McClatchy confirmed that the Sacramento Bee’s server was breached. The Secretary of State’s office takes any allegation of improper use of voter data very seriously, and continues to work with the Sacramento Bee and McClatchy to gain a full picture of this incident. Our office has also notified law enforcement.”
With regard to the voter data, the Bee wrote: “It’s not the first time this information has been exposed on the public internet.” By Gizmodo’s count, however, the previous leak in December contained 237,135 fewer voter records.