A database containing the personal information of every voter in California appears to have been stolen and held to ransom after it was exposed to the public-facing internet.
Kromtech Security Center researchers made the discovery in early December, finding an unprotected MongoDB database named “cool_db” accessible online to anyone with an internet connection.
“One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access,” explained the firm’s Bob Diachenko in a blog post.
“Kromtech researchers were unable to identify the owner of the database or conduct a detailed analysis due to the fact that the database has been deleted by cyber-criminals and there is a ransom note demanding 0.2 bitcoin ($2,325.01 at the time of discovery).”
The incident follows the same MO as a string of similar database thefts over 2017 in which hackers located publicly exposed MongoDB data stores, stole the information, backed it up to a private server and then deleted the original.
Around a quarter of MongoDB databases (27,000) left open to the internet were hit by ransomware back in January, and then in September three hacker groups erased an estimated 26,000 MongoDB databases.
The 4GB trove contained highly sensitive information which will be sought after on the dark web, including names, addresses, email addresses, phone numbers, dates and places of birth.
A statement from the Secretary of State of California’s office did not deny the claim, hinting that the incident may be the result of third-party negligence.
“We are looking into unconfirmed reports that a third party may have uploaded some California voter information in an unsecure location online. We take any allegation of improper use of voter data very seriously, and have enlisted the support of law enforcement. There is no evidence that any of the Secretary of State’s systems have been hacked or breached or that any confidential information such as social security numbers, driver’s license numbers, state ID numbers, or voter signatures were disclosed. Under state law, limited voter data is made available for restricted use by campaigns, journalists, and academic researchers.”