Today I woke up to news of 191 million US voter records having made a public appearance somewhere online. At first glance this appeared to be the same old story: someone hacked into a system and dumped everything either publicly or via a reporter. Same old, same old.
But then it took an unexpected turn – it wasn’t a hacker (at least in the traditional sense) breaking into a system somewhere, it was someone who was referred to as a “researcher”. I was pointed at a Reddit thread he’d written explaining the background and I found this of particular interest:
I have recently downloaded voter registration records for 191 million Americans from a leaky database. I believe this is every registered voter in the entire country. To be very clear, this was not a hack.
The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all. Anyone with an internet connection can grab all 300+ gigabytes.
This worries me greatly because the premise appears to be that if someone has done a poor enough job of securing their system then it’s ok to feast on the spoils within. There can be no ambiguity that this is highly sensitive data not intended to be in the public domain nor that downloading hundreds of gigabytes of it from a system that should be secure is the wrong thing to do.
I had some to-and-fro with folks on Twitter about it and the word “leak” was used quite a bit. I’m not sure that’s the correct term here, not when someone had to consciously seek out the data then download it in bulk. There was also some debate about whether this was a “hack” because the guy basically just waltzed in through an unlocked door and took the data. Whilst it certainly didn’t involve the likes of SQL injection, there’s no debating that someone grabbed themselves a whole heap of data they shouldn’t have. Would you call it a “hack” if they’d found it by deliberately searching for unsecured databases? Would the intent then justify the term?
But let me also take a moment to point out the bleedin’ obvious: someone really screwed up their handling of this data. This is inexcusably poor management of a huge volume of sensitive data I hope that as the authorities get involved (and they will get involved), they manage to track down how such an horrendous oversight occurred.
Frankly, the terms “leak” and “hack” don’t even matter and the fact remains that someone took advantage of an insecure system to grab stuff they know damn well they shouldn’t have. They clearly didn’t just stumble across it either, the intent was to take this data. As someone pointed out to me earlier, opening an unlocked door and stealing the contents behind it is still breaking and entering. Unfortunately for the perpetrator in this case, that may well lead to having to answer some very uncomfortable questions in the not too distant future.