Illinois election officials say private information from up to 200,000 registered voters was accessed by hackers during a breach in late June.
It’s part of a breach under investigation by the FBI in both Arizona and Illinois. In both cases, the hacks involved online voter registration data.
Illinois State Board of Elections General Counsel Ken Menzel said that hackers were able to access the personal information of up to 200,000 voters.
“They got into the online registration portal, but they weren’t just getting at online registration data. They got into the database of the whole,” Menzel said.
Menzel said the state has been able to identify specific individuals whose information was hacked, and others who may have been hacked.
Those voters will be sent a letter warning them of the hack, once the investigation is completed, he said.
Those affected or suspected of being affected will be given referrals from the state’s cyber crime unit, as well as information on credit reports to make sure their information isn’t being used, Menzel said.
Hackers accessed voter registration data, including names and addresses, dates of birth and in some cases, the last four digits of Social Security numbers and driver’s license or state ID numbers.
“We are pretty confident they didn’t get the vote histories or signature captures, probably in part because those are large files,” Menzel said.
Menzel said the hackers targeted smaller files, steering clear of a lot of older registration files: “They may have been trying to stay stealthy.”
Menzel said the board of elections took its system down immediately after learning about the hack and blocked the IP addresses of the hackers.
“They did eventually stop but for quite a long time after we shut it down and blocked them out, they continued to try,” Menzel said.
In order to either register to vote in Illinois or change voter information online, voters must provide their full driver’s license or state identification card; the last four digits of their social security number and the date their license or ID card was issued.
And despite recent security upgrades and investigations by the Federal Bureau of Investigation, hackers again tried to hit the Illinois State Board of Elections database on Aug 12, according to a breach report issued last week.
“We are highly confident that no data in the IVRS [Illinois Voter Registration System] database was added, changed, or deleted, although the investigation is not yet complete, the report read.
The Illinois State Board of Elections last week detailed the breach in a report, calling it a “malicious cyber-attack of unknown origin,” against the database.
The board of elections became aware of the problem on July 12, and took the web site and database offline the day after to protect it from further hacking, according to the report.
An analysis of the breach revealed it began on June 23. The board of elections notified the Illinois General Assembly and the Illinois Attorney General’s office about the hack on July 19. That led to an investigation by the FBI. The bureau advised that the state work with the Department of Homeland Security’s United States Computer Emergency Readiness Team to ensure there’s wouldn’t be additional breaches.
Security enhancements were finished on July 21, and the voter system was put back online, the report said. Part of that enhancement included resetting all passwords and forcing users to change their passwords; adding password encryption and resetting and encrypting passwords used by vendors and automated web services.
Arizona was the first state to begin online voter registration in 2002.
According to a 2013 Pew Charitable Trusts survey of 13 states that had enacted online voter registration, all states had security protocols and procedures in place, including data encryption and tracking, while limiting those who have access to their system internally. Seven of those 13 states said they believed “reduced opportunities for fraud” were a major benefit of online voter registration. Nine of those states said they employed encryption and other tools to protect data transmitted electronically.