(TNS) -- A file containing the names, addresses, dates of birth and other information about Chicago's 1.8 million registered voters was published online and publicly accessible for an unknown period of time, the Chicago Board of Election Commissioners said Thursday.
The acknowledgment came days after a data security researcher alerted officials to the existence of the unsecured files. The researcher found the files while conducting a search of items uploaded to Amazon Web Services, a cloud system that allows users to rent storage space and share files with certain people or the general public. The files had been uploaded by Election Systems & Software, a contractor that helps maintain Chicago's electronic poll books.
Election Systems said in a statement that the files "did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems." The company said it had "promptly secured" the files on Saturday evening and had launched "a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server."
State and local officials were notified of the existence of the files Saturday by cybersecurity expert Chris Vickery, who works at the Mountain View, Calif. firm UpGuard. Vickery said his firm was doing a routine research to see what information is publicly available on the Amazon cloud service.
"We regularly conduct research into what data is out there and exposed that requires no authentication, no hacking whatsoever," Vickery said. "It's in our best interest to raise awareness of the absolute epidemic of data exposure by increasing people's knowledge and realization that this is a problem."
The data file was listed as "Chicago DB" on the Amazon cloud service, Vickery said, and a setting on the upload made it accessible to the public.
Jim Allen, a spokesman for the Chicago elections board, said it was unknown how long the unsecured files had been accessible on the server.
"We have no indication that anybody other than Mr. Vickery found this," Allen said. "He's essentially an expert at trying to be the good guy to find files that shouldn't be out there before the bad guys do."
The files included names, addresses, dates of birth, the last four digits of many voters' Social Security numbers, driver's license and state ID numbers for the 1.8 million who are registered to vote in Chicago.
"We were deeply troubled to learn of this incident, and very relieved to have it contained quickly," Chicago Election Board Chairwoman Marisel A. Hernandez said in a statement. "We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S' AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again."
Allen added that the board is considering how to notify and potentially offer remedies to those whose information was exposed.
"The expense for that is going to be borne by ES&S," Allen said. "This was a violation of the contract terms that explicitly lay out the requirement to safeguard the voters' data."
©2017 the Chicago Tribune Distributed by Tribune Content Agency, LLC.
NEW ON THE PODCAST