State election officials are looking into claims that data on millions of California voters were publicly posted online.
California Secretary of State Alex Padilla said Tuesday that his office was working to verify media reports, first circulated Monday, that the information of as many as 191 million voters nationwide had been posted online “in an insecure manner by an unknown third party.”
Security researcher Chris Vickery said he discovered the database Dec. 20, and brought his findings to the website DataBreaches.net. The data he found included names, addresses and dates of birth, Vickery told the Los Angeles Times in a phone interview. The data also included whether or not voters had voted in elections going back to 2000.
“When you see these types of databases, sometimes there are a lot of entries … so seeing a large amount of numbers wasn’t that surprising,” Vickery said.
But when he noticed that the lines of data were broken up by state, and that the number of entries for Texas and California were significantly larger, the magnitude of the trove became clear to him.
“When I looked at Texas and saw my name there, that’s when it really struck me,” he said.
It’s not immediately clear who owned the database or how it ended up on a public website. As of Monday evening, Vickery said, it appeared the database was no longer publicly available.
The database appeared to have been last updated in 2014, Vickery said, and could have been viewed or downloaded by anyone on the Internet. Included was information on more than 17.8 million Californians, Vickery said. There were 17.7 million registered voters in California as of February 2015.
Vickery, a tech support specialist based in Austin, Texas, says he likens it to a company placing all of its files on the side of a country road.
“There may not be very many people driving down that road, but anyone can drive to it and access those files,” Vickery said. “The company didn’t put up any walls, didn’t put up any doors, and a person driving down the road could just happen to get lucky and see it."
Voter privacy advocates say the alleged breach highlights how ubiquitous the collection of detailed voter data has become in American election campaigns -- and how security systems have failed to evolve to protect such data.
“This is one of the best-kept secrets of American politics, that all this data is being collected,” said Kim Alexander, president of the nonprofit California Voter Foundation, which has studied voter privacy in the past. "It’s the kind of sausage-making of the political system that is integral to so many campaigns but hidden mostly from voters.”
Alexander says incidents like this help make voters aware of the big business of political data, which might ultimately turn some off from participating.
“All this behind-the-scenes profiling of voters makes a lot of people uncomfortable, and once they get a whiff of it, people may say they don’t want to be a part of it,” she said. The information could have been available to anyone, including terrorists and scammers, she added.
Vickery says he has no way of knowing how many people may have accessed the database before he found it last week. Since the news broke, he said, he believes at least one other party has been able to access the database and may have been able to partially download it.
The information was not posted online by the secretary of state’s office, Padilla said, adding that his office is working with state Atty. Gen. Kamala Harris’ office on the potential breach.
Much of the data Vickery says he discovered is commonly accessed and traded by political firms to help campaigns build voter profiles to better target mail and other materials. But the data is also governed by a patchwork of state laws that dictates what kind of information can be released, and for what purposes.
Alaska, Colorado and Connecticut, for example, place no restrictions on the release of voter file information.
But in California, state law prohibits public disclosure of that data, except for political, election, scholarly, journalistic or governmental purposes. (Some voters, such as public safety officers or survivors of domestic abuse, sexual violence or stalking, can ask that their information be kept private.)
The information made available for those purposes, and which could be kept in a voter database, does not include signatures, Social Security numbers or driver’s license numbers, Padilla said.
Vickery says his initial investigation into the breach indicated that at least some of the data may have come from political database company Nation Builder. It doesn’t appear that the database came directly from the company’s own servers, Vickery said, but it “probably passed through their hands at one point or another.”
In a statement released Monday, Nation Builder Chief Executive Jim Gilliam said the leaked database was not Nation Builder's, but that some of the information might have come from data the firm makes freely available to campaigns.
“From what we’ve seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database,” Gilliam said.
Alexander says it’s disingenuous to refer to voter data as “publicly available” because various state laws dictate what, if any, voter information can be released and how.
California law says that unauthorized use of voter information for commercial or other purposes can result in a fine of 50 cents per name on the list. With more than 17 million registered voters in the state, fines could reach $9 million.
The state attorney general’s office declined to comment, citing the need to protect the integrity of any potential investigation. The FBI also would not comment.
Vickery says he is cooperating with authorities to determine how the breach happened, but he would not say which, if any, agencies were investigating.
For more, go to latimes.com/politics.