That problem was fixed shortly after it was pointed out in a complaint to the state Office of Cyber Security by Tina Podlodowski, the Democratic candidate for secretary of state.
Podlodowski, who has criticized incumbent Republican Secretary of State Kim Wyman over voter data security, said Friday the problem was brought to her attention by “a couple of concerned citizens” and she confirmed it by checking her own registration information online.
“The secretary of state needs to take this seriously,” Podlodowski said. “I think (Wyman) needs to apologize to voters.”
In a prepared statement, Wyman did apologize for the error, adding she takes it very seriously and was relieved no systemwide “harvesting” of data happened before it was fixed. The information that could be accessed was not more sensitive data, like Social Security or Driver’s License numbers.
“In this climate of political polarization and hyperpartisanship, I want to thank my opponent for her role in notifying my office of the design flaw,” Wyman said. “We all have to work together to protect each other.”
Prior to the change, some phone numbers and email addresses, as well as some contact information for overseas and military voters, could be found in MyVote. That online system allows people to register to vote online, tell them what their voting districts are, which races will be on their ballot and where they can find drop boxes to deposit their ballots.
David Ammons, a spokesman for Wyman’s office, said the information didn’t show up on the screen but could be accessed through the development code.
“This is not cyberterrorism or hacking,” Ammons said. Instead, he called it a glitch in the system that was inadvertently added when MyVote was updated in April to make it more accessible to people with disabilities. “You could find it if you know how to read code.”
It did not involve sensitive personal identification like Social Security or driver's license numbers, he said. Although phone numbers and email addresses for many people can be found elsewhere online, they are not among the information state law says is public from Washington voter rolls.
Podlodowski, a former Microsoft manager with a degree in computer science, said a person wouldn’t need highly technical skills to be able to access the information, and just because there’s no sign of a mass extraction of voter information doesn’t mean someone didn’t mine the database a few voters at a time. The voter database should have an extensive cybersecurity audit, she said.
Questions were raised about the security of Washington’s online voter registration system in October 2012, shortly after it was implemented. Elections Director Lori Augino said the state followed the recommendations of cyberexperts who pointed out the flaws, required additional information to register or update, reviews time stamps, IP addresses and transactions, conducts ongoing security testing internally and has annual testing by independent cybersecurity experts that is more extensive than an audit.
By statute, a voter’s name, address, date of birth, gender and voting record are public but other voluntary information collected for contacting voters for questions about their ballots is not public.
The information technology staff reviewed data since April and found no mass log-ins or data harvesting. Some of the changes made by after 2012 make state elections officials that did not take place.
©2016 The Spokesman-Review (Spokane, Wash.) Distributed by Tribune Content Agency, LLC.
