Skip to main content

35 million US voter records being sold on Dark Web

October 16, 2018 | Expert Insights

Up to 35 million US voter records from 19 states have been found up for sale on a popular hacking forum, security researchers have discovered. The discovery comes just weeks ahead of the US congressional midterm elections.

Background

Midterm elections in the US are federal elections in which voters choose members of Congress. Held halfway between presidential elections, voters will elect one-third of all US senators and all 435 members of the US House of Representatives. Midterm elections determine which political party – either Democratic or Republican – will control each chamber of Congress for the next two years.

The upcoming midterms will take place on November 6.

As the elections draw near, concerns about the security of voting systems and voter data have persisted. In July, a misconfigured Amazon S3 bucket by a Virginia-based political campaign and robocalling company Robocent was found leaking US voter information. Researchers warned that the exposure of such information could facilitate criminal behaviours such as identity fraud or phishing attacks.

Analysis

Security researchers at Anomali Labs and Intel 471 said they discovered up to 35 million voter records being sold on a popular hacking forum – including personally identifiable information and voter history. The data contains details such as full name, phone numbers, physical addresses, voting history and other voting information. The voter records come from 19 US states with the total estimated size of the cache amounting to over 35 million records.

The advertisement on the forum listed the following impacted states: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin, and Wyoming. Prices for each states’ voter records ranged between $150 to $12,500. Researchers reviewed a sample of the database records and determined the data to be valid with a “high degree of confidence.”

Within hours of the initial advertisement being posted, a “high-profile actor” organized a crowd-funding campaign to purchase each of the voter registration databases. The actor said the purchased would be made available for free to all registered members of the hacker forum with early access given to donors of the project. Multiple forum users have pooled funds together to buy one or more databases from the initial offering and share the information publicly.

“To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history,” Hugh Njemanze, chief executive officer of Anomali, said. “With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large scale identity theft.”

Although state voter registration lists can be legally obtained at varying costs established by every state, there are rules dictating which authorized persons, political campaigns, journalists and academic researchers are allowed to retrieve and use such data. However, voter lists are not permitted to be used for commercial purposes or allowed to be published online.

"Certain states require the seller to personally travel to locations in-state to receive the updated voter information,” Anomali Labs said in a report. “This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum.”

On underground forums, there is no shortage of buyers for valuable stolen personal information such as voter records. Malicious entities could exploit this data to threaten the electoral process through voter identity fraud and voter suppression.

For instance, fraudsters may request changes to the voter registrations such as physical address changes, delete voter registrations, request absentee ballots or other activity  - that could result in a legitimate voter being unable to cast a ballot.

Assessment

Our assessment is that the latest exposure of voter record information should not be treated as just another drop in the bucket. Voter registrations are rich targets for hackers. Exposed data can be used by anyone with malicious intent – who, by making seemingly simple changes such as changing the letter in the spelling of a voter’s name or a change of address, could end up invalidating a legitimate voter at the poll. We believe that such tampering could – on a large scale – interfere with elections.

We believe it is crucial that such breaches and exposure of citizens’ data must be addressed quickly and given due importance by lawmakers and authorities in the interest of the protecting the integrity of democracy and electoral processes.