News has broken that an advertisement on a forum that sells data breach information is also offering the personally identifiable details and voting history of millions of US residents. The estimated size of the cache is in excess of 35 million records. The announcement says that the data sold is from updated state-wide voter lists, and includes millions of phone numbers, full addresses, and names.
Robert Capps, VP and Authentication Strategist at NuData Security:
“With cybercriminals bidding on millions of stolen U.S. voter records from 20 states, citizens on those lists should keep a close eye to spot the creation of new accounts and other actions performed in their name, including fraudulent credit applications and targeted phishing schemes to collect additional information about these individuals. This stolen information can be used for a variety of cybercrime, including account takeover, and identity theft which could take a long time to sort out, leaving the victim vulnerable for years.With the vast amount of stolen data available from this breach and other recent events, institutions must consider beefing up their security techniques and protecting their users by verifying their identity with multi-layer security solutions that include passive biometrics and behavioral analytics. These solutions are already helping retail companies and financial institutions detect illegitimate users so that if the stolen data is used for fraud, these attempts are thwarted before they create any damage to customers or institutions.”
Corin Imai, Senior Product Manager at DomainTools:
“Considering the current geopolitical climate in the United States, the sale of millions of records on the Dark Web around the mid-term elections seems like something the security industry predicted. As we look at our democratic process and the continued detriment to it via propaganda spread through fake news and election hacking, it makes sense we can now add the personally identifiable information (PII) of voters into the mix. So far, the research shows that the disclosure affects 19 states and includes 23 million records for just three of the 19 states. Impacted states include: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin, and Wyoming. When you look at the breakdown of states, 9 are Solid Republican, 1 Lean Republican, 7 are Competitive, and 3 are Solid Democratic. It will be interesting as more information is disclosed, for which three states voter PII was released, and if they release the PII of the remaining 16 states.”
Ross Rustici, Senior Director, Intelligence Services at Cybereason:
“This data is generally publicly available so having it floating around in the dark web is not surprising. Additionally, the issue of unsecured cloud infrastructure such as what we saw with Deep Root Analytics which had roughly a terabyte of this information publicly exposed means that this data has been available for a while. This issue has more to do with personal privacy and the way in which states handle the data and who can access it than an election security issue. As we deem privacy increasingly important we need to be concerned with more than just how social media companies handle our data.”