Illinois' Voter Registration Database Hackers Home in on Galesburg Residents

The hackers were able to access the information through the portion of the board's online voter registration tool that requires voters to type in their driver's license number or state identification number.

by Rebecca Susmarski, The Register-Mail, Galesburg, Ill / May 8, 2017
Shutterstock

(TNS) — About this story: In July 2016, unknown intruders hacked into the Illinois State Board of Elections' voter registration database. Recently the Illinois Senate's Subcommittee on Cybersecurity received an update on the ongoing investigation. This story looks into how the hacking occurred, how Galesburg residents' information was affected and whether or not the results of the November 2016 election could have been compromised by the hacking.

GALESBURG — Hackers viewed the information of more than 14,000 Galesburg residents in the state of Illinois' voter registration database last year — more than any other Illinois location.

Staff from the Illinois State Board of Elections provided an update to the Illinois Senate's Subcommittee on Cybersecurity on Thursday, revealing that in last summer's cyberattack on the state's database, Galesburg records had been viewed more than those from elsewhere in Illinois. Kyle Thomas, executive director of the board, and Kevin Turner, IT director for the board, said the board sent letters to 14,121 Galesburg residents last fall to notify them that some aspect of their information had been viewed. The hacked information included names, birth dates, addresses, driver's license numbers and the last four digits of social security numbers.

The hackers were able to access the information through the portion of the board's online voter registration tool that requires voters to type in their driver's license number or state identification number.

"When you enter information into a queue, normally they put a backstop on it where you can't enter any additional information, and the (Illinois) State Board of Elections didn't have that backstop," said Sen. Michael Hastings, D-Tinley Park, chairman of the cybersecurity subcommittee. "So you can send massive amounts of information through that portal, and that's where (the hackers) got in."

Despite the amount of information viewed, the hackers had not specifically targeted Galesburg. Hastings said as the hackers were phishing in the system, they came across a nine-digit voter ID code that just happened to fall in Galesburg.

Even stranger, the investigation thus far shows that the hackers only looked at the information in the database. They did not make any additions, deletions or other modifications to the information.

"This intrusion was somewhat complicated in that they were simply going for random voter IDs," Turner said. "They were not targeting any city or name or address. They started throwing in numbers of any type of queries; they were basically trying to get whatever they could get."

The hacking also did not have, and could not have had, any effect on the November 2016 presidential election. Thomas emphasized that the board's election equipment and process is completely separate from its registration database.

Lisa Watson, director of the city of Galesburg's Election Commission, confirmed that the two processes are separate and that the hacking had "zero impact" on the election. The city's voter registration database was not hacked, but even if it had been invaded in the same manner, it would not have affected the election outcome.

Yet even if the hacking had been nothing more than a data-mining exercise, Hastings worried that phishing could have implications in the future.

"Personally I really believe when you're about to attack something, you have to research what you're attacking," Hastings said. "In the military you do that through probing, and this phishing is looking for how everything works in the structure of a system. These people have a very sophisticated system, so this could be preparation for two years, four years or six years down the line."

The FBI has not ruled out the possibility that Russian hackers may have been involved in the intrusion. According to an August 2016 FBI document, the FBI found seven suspicious IP addresses during its early investigation, some of which traced back to the Netherlands.

The Netherlands IP addresses in turn traced back to a server called King Servers, which Hastings said often has been used by two Russian hacking groups, Fancy Bear and Cozy Bear. Hastings added that King Servers also has IP addresses in Bulgaria and Russia, and the two Russian hacking groups operate on all three servers.

No matter who the hackers had been, Turner said the board needed to re-create their intrusion throughout the summer of 2016 in order to find out what information they had acquired. The board also posted a link on its homepage that citizens could access and see which aspects of their information was compromised. (The link now can be found by clicking the "Voters" tab on the Illinois State Board of Elections site and then clicking "Cyber-Intrusion Record Search.")

Watson helped some Galesburg residents find the link last fall when they came to the Election Commission's office for early voting. Many of the residents found that their information already was public knowledge online.

"I offered repeatedly if individuals would like a print-off of what they saw on the website, and with an exception of a few individuals, most people said they weren't interested in getting a print-off," Watson said. "It was almost like the unknown was scarier than knowing."

©2017 The Register-Mail, Galesburg, Ill Distributed by Tribune Content Agency, LLC.