When a database is hacked, it’s because security procedures were inadequate. But, by definition, there were security procedures in place to begin with, which counts for something at least. In this instance, this database of voters nationwide was simply sitting on the internet waiting for someone to query it.
So what’s the problem? This is all stuff they could get at the county courthouse, right? In many cases, yes, but this is potentially every registered voter in America. While it does not include social security numbers, it does include an address, a date of birth, political affiliations, the way you’ve voted in the past, and everything else that a person would need to hunt you down, to impersonate you, or to deny you employment or other benefits based solely on your political beliefs. Those are the garden variety exposures that come to mind. Are there likely other nefarious uses for this data? There usually are.
When asked online what he thought the contentious issue really was, given that some of the data is technically public record, Vickery responded,
I think the contentious issue is this: Our society has never had to confront the idea of all these records, all in one place, being available to anyone in the entire world for any purpose instantly. That’s a hard pill to swallow.
If you know someone who lives in New York state, for instance, and you know their DOB and their zip code, you can look up their party affiliation, their address, and their status. That’s all well and good, but it doesn’t mean that you know how they voted in the last election. That’s not the sort of data that you could mine to get an indication of future voting, or for marketing purposes online or off.
Here’s a screenshot of a redacted NY voter registration lookup. Bear in mind that assessing this screen requires you to know the name, date of birth, and zip code of the person you’re trying to look up, so it’s not exactly open to all and sundry for perusal.
The information exposed above is pretty minimal. We redacted it as a best practice, not because it contains anything you couldn’t have found in five seconds of searching. Compare that to DOB, whether you voted in elections in the last 15 years, FIPS code, demographic information, phone, preferred language, and more data exposed by this breach.
This isn’t just information that can be used to market to you. This is information that can be used to highly target you for marketing, property crimes (demographic info), phishing, and outright identity fraud. This information is normally fairly difficult to access on a one-by-one basis, though that varies by state. Here we have it in a single place for whatever purposes someone might want to use it for.
The information was compiled for a semi-legitimate purpose, of course – targeting voters in the upcoming elections. The data has been tracked down to one particular vendor, though to whom they sold it is unknown at this time. The inherent problem here is that there was absolutely no security around the database whatsoever. It was accessible by using a standard database explorer tool that would be used for legitimate access to such a source.
It’s possible to just wander around the internet looking for things that look insecure. Oh, look port 3306 is responding, and no login request. Gee, I wonder what’s in this MySQL database… Someone apparently took zero steps to secure this data. Any ramifications are too far in the future to predict, but for now the data is out there and available. If a security researcher found it, you may safely assume there is a one hundred percent chance that a few less well-intentioned people found and grabbed the data, as well.
Where does that put you? Well, with name, address, and DOB, they can start calling up companies and making changes to accounts. It might be minor, it might not. They could request that your cell phone service be switched to a different device temporarily. Then when your credit card company calls you to verify a change of address, they answer the phone on that device, confirm it with your date of birth and previous address, and then switch the service back to your existing phone. Now they can get a new credit card sent on your account. The stakes are even higher with bank accounts. The list doesn’t end.
What’s worse is that if they try the last four of your social a few times and get it wrong, and act flustered and ask “What do you have on file for me?” someone, somewhere, in a call center will say “Oh, we have 4876, that’s right, isn’t it?” And then they act more flustered that they couldn’t remember and they’ve social engineered the last four of your SSN out of someone. Anything that was previously closed to them is now open to them.
In many states, the information they’ve gleaned to this point is sufficient for them to walk into the DMV and request a duplicate copy of your drivers license. They’ve already Googled you to make sure you look sort of like them, of course, and they pick the victim carefully. Now they haven’t just stolen your identity, they literally are you.
Scared yet? We certainly are.
There are two things you can do to combat this. First of all, be vigilant. You should check your credit card statements every month, you should keep an eye on your bank account, and you should be aware of people near your home who don’t belong there. It’s that simple. To do any less is to be negligent.
The second thing you should do is to get buy renters insurance now and make sure you get the identity fraud endorsement. While it won’t prevent identity fraud when someone has access to enough information to become you, it will cover the expenses of fixing the problem and reclaiming your life. The coverage also gives you access to trained professionals who can help you through the process of becoming the only you again.
Effective Coverage offers the nation's only completely mobile platform to quote and purchase renters insurance right from your phone or tablet in just one minute. Get an online renters insurance quote today and protect your family.Photo Credit: Brett Morrison Windows 10 Battlestation CC BY 2.0