Isn't this considered public data anyways? Illinois (and I believe every other US state) requires that certain voter data be publicly accessible. To access it in bulk, you'll have to pay a small fee, but anyone can get this.
A misconfigured AWS instance is always an issue. I'm not trying to downplay that. Only that this data being released to the public isn't anything new - the public already had access to it.
No. The Chicago Tribune [0] reported on the type of data exposed:
> The files included names, addresses, dates of birth, the last four digits of many voters' Social Security numbers, driver's license and state ID numbers for the 1.8 million who are registered to vote in Chicago.
Well, there's an unpleasant reminder of why knowledge-based authentication should never be based on something immutable.
How many services do all of use use that accept name/birthdate/SSN as identification? How many other services, like phone companies, claim not to but would still yield for someone who sounded earnest and knew all of that?
And what can the leak victims possibly do? TFA is great where you can get it, but it's not universal, and none of this information can be refreshed.
Last four of social is so abused it shouldn't count, and date of birth is in nearly every company's loyalty database. That leaves drivers license and state ID number as the leaked data. I'm honestly not sure how important or secure those are.
Exactly. Every leak already has it. Every company already has it. The fact that fraud is trivial is already true, and this leak really adds little to it.
OK, now would be so kind as to pretend that we've been leaked your birth year and state of birth?
Before you answer, you may want to poke your answers into this site and have a look at the outcome: https://www.ssn-check.org/lookup/
Caveat: This tracks your issue date, not truly your birthdate. In the past couple of decades many/most babies get registered at birth, but if I stick my own (birth) data in there I actually get the wrong answer, because when I was born issuance wasn't automatic yet. But that will work for a lot of people.
Both the first three and the middle two have a pretty clear rhyme and reason to them which would likely make getting them right a not-so-difficult task after a bit of homework.
Voter registration data is available for purchase, but only by registered political committees and can't be used for commercial purposes. This also doesn't include a lot of the breached data like partial SS#'s and drivers license #'s. As a Chicagoan I'm not too happy about this breach, and there has been surprisingly little coverage of it locally.
Yes. One of my first jobs out of school I worked with a Standford professor Doug Rivers (@pollingpoint) that had millions of users voting records he obtained from the government for 'research' purposes. That data: your name, address, what party you are in, et al. is TOTALLY public and passed around legally to other research centers and government agencies. He had me match address information with other databases.
This is a false and defamatory. I (Chris Vickery) have never ransomed any data. I have protected the private data of hundreds of millions. Post some evidence or retract your comment.
I never said "you" (assuming it's really you, new account and all) ransomed the "data" specifically, but I do know of two instances where you threatened companies to go to their customers and/or the FTC unless they met your specific demands.
jsjohnst- I've posted on my twitter account (@vickerysec) to verify that this is indeed me. Now, please explain the two situations you refer to. I vehemently deny the accusation and would love to know the origin of those false claims.
A misconfigured AWS instance is always an issue. I'm not trying to downplay that. Only that this data being released to the public isn't anything new - the public already had access to it.
https://www.elections.il.gov/votinginformation/computerizedv...