Databases detailing 19.5 million Californian voter records as well as 53,000 newspaper subscribers have been stolen after a newspaper left both files exposed online.

The leak from The Sacramento Bee, reported today, was discovered by the Kromtech Security Center, which found a 91.5-gigabyte MongoDB database file Jan. 19 via a breach report based on Shodan, an “internet of things” search engine. The data detailed a wide variety of information compiled by the newspaper, such as legislation data, letters to the editor, internal newspaper systems info such as web site addresses, internal keys, user agents info and administrative credentials — but most importantly, the details of 19,501,258 California registered voters.

The SacBee discovered the exposure Jan. 29 when a developer noticed an error while attempting to upload data to one of the organization’s databases. That error, according to Bleeping Computer, consisted of the data being encrypted with a ransom demand for bitcoin if the newspaper wanted the data back.

The newspaper did not pay the ransom and deleted the databases instead, saying that the data had become accidentally exposed after a firewall did not come back online following routine maintenance by an outside service provider earlier in January.

While the loss of the subscriber data may be damaging to the SacBee, the voter registration data is replaceable as it was originally provided by the California state government, be it that the distribution of the data is somewhat restricted.

Citing SacBee’s lack of security oversight as being a lesson to be learned by all sorts of companies, Brian Contos, chief information security officer of Verodin Inc., told SiliconANGLE that it’s “critically important for organizations to continually measure and improve the effectiveness of their security controls and move beyond assumption-based security.”

Contos said there’s a “natural degradation that occurs in all IT environments as it relates to changes in security controls, network segmentation, patches and the like that can introduce unknown risk.” As a result, he added, “it’s key that the security controls protecting critical systems be fine-tuned for each specific environment to mitigate threats like ransomware.”

Photo: hjl/Flickr