An estimated 35 million voter records from 19 states are up for sale on a dark web forum, in what may be an inside job ahead of the mid-terms.
Anomali and Intel 471 researchers discovered a seller offering full names, phone numbers, physical addresses, voting history and other unspecified voting data.
Some 23 million records are up for sale for just three states, although no record counts were provided for the remaining 16 states. The sales price for each voter list ranges from $150 to $12,500 depending on the state.
A crowdfunding project is underway to pay the seller: a move which would offer the full lists for free to members of a particular hacking forum. Records for Kansas have apparently already been published, with Oregon next in line.
Although access to state voter registration lists is provided to political campaigns, journalists and academic researchers, there are rules forbidding their use for commercial purposes or republishing online.
If the seller is telling the truth, this haul could be useful for identity fraudsters and even those who want to interfere in the upcoming mid-terms.
“When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate,” noted Anomali.
“This type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. In a voter identity theft scenario, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter.”
The seller claimed to receive weekly updates of the registration data from contacts within the state governments, which if true could highlight a major insider risk.
“Threat actors frequently recruit and fool insiders into helping them to pull off data theft and abuse schemes. This research seems to indicate that insiders either knowingly or unwittingly helped the nefarious party to obtain voter information,” said Dtex CEO Christy Wyatt.
“Government-sector research we conducted earlier this year revealed that 53% of agencies have been hit with an insider incident.”
The affected states are: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming.