Nearly 600,000 Alaska voters' sensitive records exposed due to CouchDB database configuration error

A trove of voter records containing the personal information of nearly 600,000 voters in Alaska was inadvertently exposed online in an unsecured CouchDB database. Security researchers at the Kromtech Security Research Center discovered the database of about 593,000 voters was accidentally configured for public access without password protection, potentially allowing anyone with a web browser to access and view the sensitive information.

The exposed records contained the sensitive and personally identifiable information of prospective voters including names, addresses, dates of birth, ethnicity, marital status and voting preferences, ZDNet reports. They also contained particularly personal data such as household income, the age range of an individual's children, whether the person is a homeowner and issues that the voter can be lobbied on such as climate change, gun control and tax reforms.

The exposed data is a larger voter file called Voterbase compiled by TargetSmart, a leader in national voting databases, that contains the contact and voting information of more than 191 million voters and 58 million unregistered, voting age consumers, researchers noted.

TargetSmart said that a third-party firm was responsible for the accidental exposure.

"We've learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart, and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed," TargetSmart CEO Tom Bonier said in a statement.

However, he said the repository was not accessed by anyone other than the security researchers at TargetSmart and the team that identified the exposure.

"None of the exposed TargetSmart data included any personally identifiable, non-public financial data," he said. "And to be clear, TargetSmart's database and systems are secure and have not been breached. TargetSmart imposes strict contractual obligations on its clients regarding how TargetSmart data must be stored and secured, and takes these obligations seriously."

The database was eventually secured and taken offline on Monday.

Equals3 CEO Dan Mallin said it "experienced an intrusion of a sample data set on one of our development servers," noting that the server wasn't being used by any of the firm's clients.

"This was an isolated intrusion, stemming from a white hat group who was searching for a known vulnerability in CouchDB," referring to Kromtech. "We have diligently conducted a forensic audit confirming the data set was not downloaded."

This incident is the latest in a spate of inadvertent data leaks caused due to cloud storage errors.

"There seems to be no end in sight for improperly secured data making its way onto the web and with little or no accountability for proper storage and security measures it is up to regulators to decide the best way to manage an aging electoral system that seems to be struggling to keep up with the digital age," Kromtech VP of strategic alliances Alex Kernishniuk said.

"This is yet another wakeup call for companies, governments, and political organizations to audit their networks, servers and storage devices and ensure they take the proper security precautions."