News last week that voter records belonging to some 35 million U.S. residents is being offered for sale on a dark web marketplace has raised fresh concerns about identity theft and potential voter fraud just weeks before November’s midterm elections.
Researchers from Anomali and threat intelligence firm Intel471 said the data being peddled appears to have been obtained legitimately. It includes full names, phone numbers, physical addresses and voting histories of voters from 19 states. About 23 million of the records appear to belong to residents of just three states, while the remaining data pertained to individuals from across the other 16 affected states.
“Of note, the seller indicates they receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments,” Anomali said last week. That indicates the data was not stolen, though it is being redistributed for potentially illegitimate purposes, the security vendor said.
The affected states are: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas and Utah.
Prices for the lists vary by state and may have to do with the number of voter records available in each database. The seller’s advertisement lists the 6 million records in Wisconsin’s voter database at $12,500, while the database for Minnesota has a list price of $150 for an unspecified number of voter records. Prices for the remaining databases fall in between these numbers, with Louisiana’s database being the second costliest at $5,000.
Buyers are being assured of weekly updates to the voter data for every state database they purchase.
The data that has been listed for sale on the hacking forum can be purchased legally from the various state election boards and other sources. Voter records for the entire state of Illinois for instance, is available from the state election board for just $500. One company offers what it says is says regularly updated voting records for 185 million U.S. residents; another touts data on 204 million registered U.S. voters from across all 50 states, along with their phone numbers, emails, demographic data and so-called lifestyle information.
However, most states have restrictions on who can buy the data and how it can be used. Typically, those who are allowed to use voter data include political campaigns, PACs, political consultants, journalists and analytics companies.
The fact that such data is being distributed on the dark web highlights how easily malicious actors are able to subvert state rules and procedures, Anomali said, noting potential motives for buying the data could include identity theft, or tampering with voter lists to make people ineligible to vote in the upcoming elections. “Fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter,” he said.
News of the voter records sale is sure to add to the already high concerns over election tampering and the safety of the U.S. election system in general.
In this particular instance, the data that is being distributed illegally does not appear to have been obtained via a cyber intrusion. However, numerous reports over the past several years have highlighted serious concerns over the susceptibility of U.S. election systems to electronic tampering. Recent news about Russia-based hackers accessing U.S. voter databases has added to those concerns.
In a Sept. 2016 paper, Andrew Appel, a professor of computer science at Princeton University, warned that almost all of the voting systems used in more than 9,000 jurisdictions across the United States could be tampered with. An attacker with physical access to a voting machine could cause it miscount votes or transfer votes from one candidate to another, Appel noted.
Even so, there is some debate over exactly how much damage an attacker would actually be able to cause to a U.S. election, with such access and tampering.
“The major threat to U.S voting systems is the idea that the results can be modified or manipulated,” said Vinny Troia, CEO and of Night Lion Security.
The machines that voters use to actually cast their ballots are typically not connected to the internet, making remote attacks unlikely.
However there is still a point where the results from each machine will need to be tallied and uploaded to a central processing or results server, Troia said. “Someone could potentially intercept and change the data stream between the voting locations and the destination where the votes are submitted.” But even then, there are so many locations that would have to be impacted that the tasks seems improbable, he said.
The sheer variety of voting machines in use, including some that simultaneously log a paper ballot, also limits the damage an attacker would be able to inflict. “Hacking a single voting machine will have little to no impact on the overall election unless you can find a way to infect a large quantity of them in a single location,” Troia noted.
What that means is that the best way to manipulate votes would be to intercept or change the numbers after the voting is complete, he added.