Cyber Criminals Steal Voter Database of the State of California
If there is one thing that the 2016 US election has taught us it is that the entire electoral process needs to be revamped and a more uniform secure process. There have been several high profile leaks of voter data in recent months but in this case the entire voting population of California has had their information taken by cyber criminals.
In early December Kromtech security researchers discovered an unprotected instance of MongoDB database that appear to have contained voter data. The database named 'cool_db' contained two collections and was avaiable for anybody with Internet connection to view and/or edit.
One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access.
According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.
Kromtech researchers were unable to identify the owner of the database or conduct a detailed analysis due to the fact that the database has been deleted by cyber criminals and there is a ransom note demanding 0.2 bitcoin ($2,325.01 at the time of discovery).
We were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared.
Ransomware and Stolen Data
In January 2017 a 27k or roughly a quarter of MongoDB databases left open to the internet were hit by ransomware and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cyber criminals demanded that the owners of those databases pay around $650 USD in the cryptocurrency BitCoin to regain their data. It is still unknown just how that stolen data was used or how many people paid to have it returned, and if it was even returned after the cybercriminals received the money.
Back in January Kromtech Security came up with the initiative to help those who suffered an attack. Read more about last year 'massacre' here: https://www.databreaches.net/need-help-because-your-mongodb-installation-was-hit-by-ransomware/
It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository ("cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.
The Danger of a State Voter Database Leak
In this case security researchers were able to bring awareness to millions of California citizens that their data was not only publicly leaked online, but also that cyber criminals have stolen it for ransom. State voter registration databases store detailed information on each registered voter in the state, as required by federal law.
The criminals used ransomware to wipe out the voter data and likely backed it up on a server making it even more risky. Once in the hands of cyber criminals this voter data could end up for sale on the “Dark Web”. If this were an official database, deleting parts of that data could affect someones voting process.
What the database contained?
The 4GB collection contained data structured with the following rows:
The “Extract Date” is most likely is the indicator of when the database has been compiled. It appears to have been created on May 31st, 2017.
The purpose of the second much larger collection in the database, named ‘22GB appears to be the complete California voter registration records. It contains a massive 409,449,416 records in total.
The format and information in the document titled “22GB”
Bob Diachenko, head of communications, Kromtech Security Center:
This is a massive amount of data and a wake up call for millions citizens of California who have done nothing more than fulfil the civic duty to vote. This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown.
Here is the transactions for the wallet in the ransom note
The database has been taken down since the initial discovery. Secretary of State of California was aware of the leak and "was looking into it", however, at the time of publication we did not receive any official statement.