Data expert: Foreign adversaries can use unprotected voter data to disrupt Illinois elections
Fowler found out that multiple Illinois counties that use a third-party company, Platinum Technology Resource, as an election services provider had exposed databases.
Social Security numbers, death certificates, Illinois voter applications and other personal information were accessible on the open internet, according to longtime security researcher Jeremiah Fowler.
Fowler found out that multiple Illinois counties that use a third-party company, Platinum Technology Resource, as an election services provider had exposed databases. He was able to access sensitive voter information.
"I’m an ethical security researcher and I found this,” said Fowler. “The bad guys are also looking for the same data I am looking for. The difference is I am going to let you know where they are going to take that data and manipulate it. It all boils down to resources.”
Fowler explained small local governments can’t fight foreign adversaries, who might take sensitive voter information and disrupt America’s elections by requesting absentee ballots using a voter’s Social Security number or other personally identifiable information.
"When [voter data] is stored online you create this vulnerability. It could be a mistake, I don’t think it was a malicious accident, but that’s a huge vulnerability,” said Fowler.
Illinois's data breach notification law requires notification to the state within 45 days of an incident. The Illinois State Board of Elections said they have no authority over who localities contract with, but they did reach out to counties with Platinum Technology Resources contracts to inquire about the exposed data.
Fowler is calling for more resources to be allocated to localities so they can prevent sensitive voter information from being exposed.
Illinois State Board of Election spokesman Matt Dietrich said they assist localities with Cyber Navigators.
"We have the state divided into four zones and there are eight cyber navigators, two are assigned to each zone so each one has 25 or so jurisdictions. They visit and talk with them regularly. The cyber navigators also interpret Department of Homeland Security bulletins and federal alerts about potential risks to the election industry. The cyber navigators are there to make sure the jurisdictions know what these [risks] are,” said Dietrich.
Dietrich said he wasn’t sure if local election authorities had contacted voters to inform them that Fowler was able to access their data.
"It seemed like Fowler had said he wasn’t sure whether the data had actually been seen, but he said it’s out there. I don’t think this is something that would rise to that level [alerting voters],” said Dietrich. “You’d have to have proof the data was viewed.”
The data was manually reviewed by Fowler, who is an American citizen but lives in Europe, and he said taxpayer funded voting systems should protect Americans’ personal information.
“We have a patchwork of technology providers and no two jurisdictions have the same data protections,” said Fowler. “As a voter you’re like, ‘hey I trust you,’ and then you find out they farm it out to third-party companies. That's where the disconnect is.”
Fowler explained there were good things Platinum Technology Resources did like flagging duplicate social security numbers, but mistakes happen and there’s ongoing challenges in election security.
The state board of elections currently doesn't have a standard that local elections authorities have to follow when outsourcing things like data storage to third party companies.
“For registration systems, voting systems…yes. This is a different sort of contractor and the services they provide are a variety of things we don’t have authority over,” said Dietrich.