Researchers have discovered the personal details of over half a million US voters exposed to the public internet, once again thanks to a misconfigured database.
It was a CouchDB database of 593,328 Alaskan voter records including names, addresses, dates of birth, voting preferences, household income and much more.
The data in question is part of Voterbase; a larger trove of info on 191 million voters and 58m unregistered US voters managed by a firm called TargetSmart, according to the Kromtech Security Center.
TargetSmart CEO, Tom Bonier, explained that the incident came as a result of a misconfiguration by Equals3, an AI software firm which licenses some data from TargetSmart.
“A database of approximately 593,000 Alaska voters appears to have been inadvertently exposed, but not accessed by anyone other than the security researchers on our team and the team that identified the exposure,” he continued.
“None of the exposed TargetSmart data included any personally-identifiable non-public financial data. And to be clear, TargetSmart’s database and systems are secure and have not been breached.”
Bob Diachenko, chief security communications officer at Kromtech Security Center, explained that the database was misconfigured in such a way that no password/login was required to access the data.
“In simple words – administrators often skip or disable security settings in order to ease access to the database internally or remotely,” he added. “By default, database is secured. Moreover, Couch also has web-interface which allows viewing and editing the information even in browser, without extra special software.”
The incident is just the latest in a long line of database misconfigs which have leaked the data of millions in recent months.
Kromtech itself has flagged several of these, including WWE (3m), MoneyBack (455,000), and Time Warner Cable (4m).
Database administrators would do well to revisit their settings considering hackers are actively targeting publicly exposed installations with zero access controls.
Over 76,000 MongoDB customers were held to ransom recently by attackers who wiped their data and backed up to their own servers.
Rich Campagna, CEO of Bitglass, argued that the CouchDB incident could have been avoided with basic security best practices “such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
“Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public”, he added.