UPDATED 23:04 EDT / AUGUST 15 2018

INFRA

Georgia governor candidate sued over exposure of 6.3M voter records

Brian Kemp, the Republican former secretary of state in charge of Georgia’s elections who’s running for governor, has been sued in a lawsuit that accuses him of allowing millions of voter records to be exposed online.

According to local media Wednesday, security researcher Logan Lamb discovered a voter registration database with 6.3 million records of all of Georgia’s voters, along with documents containing election day supervisor passwords in the summer of 2016.

Those records included full names, dates of birth, driver’s licenses and partial social security numbers “all wide open to anyone snooping around,” suggesting that they may have been left unsecured on a cloud server.

Although there’s no evidence that the data had been accessed for nefarious purposes and the electoral data itself is publicly available upon request, it gets worse. Kemp (pictured) is alleged to have deleted the data off a server, hindering an investigation.

Allan Liska, solutions architect and ransomware expert at Recorded Future Inc., told SiliconANGLE that this is another case of improperly secured sensitive data versus actual election system hacking.

“The data was accessible to anyone walking the directory on the web server, but a bigger concern is the fact that it was stored on a Drupal server with a well-known vulnerability that tens of thousands of bots were scanning the internet for and exploiting those systems,” he said, adding that there’s a good chance that Lamb was not the first person to exploit the server.

“Gaining voter registration data is a potentially serious breach, but having usernames and passwords for all of the Georgia voting systems is a significantly bigger problem because that could give an attacker potential access to live vote information,” Liska explained. “It has not been reported, to date, whether the usernames and/or passwords for those systems were changed once the exposed data was reported.”

Even if those passwords have been reported, he said, knowing the systems Georgia is using and how they are deployed could give an attacker enough information to mount a successful attack, he added. “There has been no evidence that this has happened to this point, but there is no way of knowing who else has access to the information that Lamb discovered,” he said.

Photo: Brian Kemp/Twitter

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU