2 Investigators: How The Breach In Chicago Voter Data Was Found
(CBS) -- If you are a registered voter in Chicago, your personal information was posted, online, for anyone to see.
It was a security breach, by the folks who were supposed to protect it. So, did anyone steal the information and are you at risk? CBS 2's Brad Edwards reports.
It was Friday Aug. 11 in Silicon Valley.
John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud.
He randomly plugged in "Chicago … db," for "Chicago database," and hit the jackpot.
He found names, addresses, birth dates, driver's license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters.
"It's like hitting a hole in one on the first time you play golf," Hendren says.
Chris Vickery at the same company says the breach rates at 10 on a severity scale of 1 to 10.
"Anyone with a web browser and an internet connection, anywhere in the entire world, could have downloaded these files," he says.
Chicago's vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections.
The company placed the data folder on Amazon Web Services with the wrong security settings, Tom Burt, the firm's CEO, recently told Chicago officials.
Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don't believe the information ended up on the "dark web" for identity thieves to attain.
Vickery says only Amazon would know, and they're not saying.
"I think the city of Chicago needs to get definitive word from Amazon as to whether or not this got into other hands," Vickery says.
Amazon would not discuss the breach.
The Chicago Election Board says the performance of ES&S remains under review. The firm is offering fraud consultation and ID theft protection for voters at no cost. For more information, click here.
