A database containing the voter records of over 19.5 million Californians was exposed to the public internet before being locked down and held for ransom by cyber-criminals, just months after a similar incident, according to reports.
The information involved is apparently not defined as PII by the state, although it did contain names, addresses, dates-of-birth, political affiliation and other voter details — enough to craft convincing follow-up phishing attempts.
The data in question was being stored by newspaper the Sacramento Bee, which had obtained it legally for reporting purposes.
However, the MongoDB database it was stored in was left crucially exposed for a fortnight after a vendor performed routine maintenance and the firewall did not come back online.
That was all it took: cyber-criminals spotted the error and stepped in to encrypt the data, demanding a payment in Bitcoin to unlock it.
The Bee subsequently decided to delete the encrypted data rather than pay the ransom, although it’s unclear whether the black hats made a back-up copy.
A separate database containing the names, home addresses, email addresses and phone numbers of 52,873 Sacramento Bee subscribers was compromised in the same way.
A statement from the secretary of state’s office published by the newspaper had the following:
“It is important to emphasize that no confidential information — such as social security numbers, driver’s license numbers, state ID numbers, or voter signatures — is ever provided in response to a request for the state voter file. Those with access to the voter file have a responsibility to take the necessary measures to protect voter data, wherever and however it is used, and to report any compromises to the Secretary of State’s office and law enforcement in a timely manner.”
This is the second time a database of Californian voters has been held ransom. Security firm Kromtech reported a similar incident back in December, although on that occasion hackers stole the database, leaving a ransom note in its place. It’s still unknown who the database belonged to.
“Unfortunately, businesses and organizations continue to disregard basic security rules when it comes to cloud repositories with a public-facing interface,” argued Kromtech’s Bob Diachenko.
“Misconfigured MongoDBs and AWS S3 buckets are among the most reported cases of data leaks for the last year and 2018 seems to be another challenging year for companies struggling to keep their data safe but forgetting about simple cyber-hygiene rules.”