A leading US supplier of voting machines confirmed on Thursday that it exposed the personal information of more than 1.8 million Illinois residents.
State authorities and the Federal Bureau of Investigation were alerted this week to a major data leak exposing the names, addresses, dates of birth, partial Social Security numbers, and party affiliations of over a million Chicago residents. Some driver’s license and state ID numbers were also exposed.
Jon Hendren, who works for the cyber resilience firm UpGuard, discovered the breach on an Amazon Web Services (AWS) device that was not secured by a password. The voter data was then downloaded by cyber risk analyst Chris Vickery who determined Election Systems & Software (ES&S) controlled the data. ES&S provides voting machines and services in at least 42 states.
Gizmodo spoke briefly with Chicago officials regarding the matter on Saturday. The city did not immediately respond to a request for comment on Thursday after ES&S posted about the leak on its website. A spokesman for US Senator Dick Durbin of Illinois also confirmed on Saturday that the senator had been made aware of the situation.
ES&S was notified this week by the FBI and began its own “full investigation” with UpGuard’s assistance, “to perform thorough forensic analyses of the AWS server,” the company said in a statement, adding that the investigation is still ongoing.
ES&S said the AWS server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The company stressed that the leak had “no impact on the results of any election.”
An ES&S electronic poll book—a kind of device used to check in voters on Election Day—was toyed with by hackers at the Defcon security conference this year in Las Vegas. As Gizmodo exclusively reported, the hackers discovered loaded on the device the personal records of 654,517 people who voted in Shelby County, Tennessee, including names, addresses, birthdates, and political party. The poll book was purchased on eBay. (ES&S did not respond to requests for comment for this story.)
As reported by Gizmodo in June, UpGuard previously discovered a massive, unsecured database leaking the personal information of nearly 200 million US registered voters online. That leak was tied to Deep Root Analytics, a conservative data firm contracted by the Republican National Committee during the 2016 election.
Update, 3:52pm: Chicago Election Board Chairwoman Marisel Hernandez said in statement: “We are deeply troubled to learn of this incident, and very relieved to have it contained quickly. We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server. We will continue reviewing our contract, policies, and practices with ES&S. We are taking steps to make certain this can never happen again.”
Update, 4:05pm: UpGuard CEO Mike Baukes told Gizmodo: “ES&S was able to secure the data promptly and issue a public statement with the details of the exposure, aiding the UpGuard Cyber Risk Team in our mission of ensuring that exposed information is secured. By working with enterprises like ES&S to swiftly close such exposures, UpGuard will continue to raise awareness about the issues of cyber risk affecting the digital landscape today.”
This story is developing and will be updated with more information as it becomes available.