Security researcher, Chris Vickery of Texas, discovered an improperly configured database that was publicly accessible via the Internet. The database did not contain Social Security numbers or other financial information but it did include personally identifiable information (PII). Chris consulted with another IT expert, security blogger Steve Ragan, who confirmed that he was able to find and access the database. Both men found that the database had a current record of their PII including first name, middle name, last name, date of birth, gender, home address, political affiliation and voter record for elections occurring since the year 2000.
The researchers worked with security website “Databreaches.net” to identify the owner of the information but were not able to determine who had collected and posted the data. The database was taken offline on Monday, December 28, presumably to be patched.
The information is a matter of public record but various states restrict the manner in which it can be accessed. South Dakota requires anyone requesting voter registration information to sign the following statement: “In accordance with SDCL 12-4-41, I understand that the voter registration data obtained from the statewide voter registration database may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet.” Clearly any information in the database regarding voters in South Dakota was posted in violation of state law.
There is no way to tell how long the database was available or who may have accessed it. The information in the database is not enough by itself to perpetrate identity theft but it is certainly a good start and could be used in conjunction with social engineering to phish for additional information.
Please protect yourself. Consider identity theft protection insurance. Please contact an agent for more information.