SPRINGFIELD, Ill. — Hackers have breached databases for election systems in Illinois and Arizona, according to state election and law enforcement officials.
In Illinois, hackers accessed a database for the Illinois Board of Elections, compromising up to 200,000 personal voter records according to Ken Menzel, General Counsel for the board.
The FBI is investigating the hack, which initially occurred in late June and was discovered in July. It was first reported by Yahoo. Officials with the Board of Elections are “highly confident they (the hackers) weren’t able to change anything, although the investigation is still going on” according to Menzel.
Investigators believe the hackers are likely based overseas, according to a law enforcement official.
The Illinois database included voters’ names, addresses, sex and birthdays in addition to other information. Some of the records include either last four digits of a voter’s social security number or drivers’ license numbers. The database is comprised of records for 15 million individuals and is 10 years old. Not all outdated information has been purged, according to Menzel, so some of those records likely include information for deceased voters or those who have subsequently moved.
According to Matthew Roberts, Director of Communications for the Arizona Secretary of State, in late May, Arizona officials took the statewide voting registration system offline after the FBI alerted the Arizona Department of Administration that there was a credible cyber threat to the voter registration system.
While the Washington Post reported that Roberts attributed the database breach directly to a Russian hacker, when pressed by CNN he said that the Arizona Secretary of State’s office learned of Russian involvement from internal IT and cyber security staff. “We indirectly heard that the credential and username posted online was from a known Russian hacker,” Roberts said.
When they took the system offline to review any vulnerabilities, they discovered that a county election official’s username and password had been posted online publicly. It’s believed that a worker may have inadvertently downloaded a virus which exposed the username and password. In this instance, the username and password information posted would only give individuals access to a localized, county version of the voting registration system, and not the entire state-wide system.
Roberts says there is no evidence that any data within the system was compromised and there was no evidence of malware present in the database.
The breaches are causing concern among election officials because of the voter personal information that could have been stolen, not because of any fear that an election could be stolen, law enforcement officials say.
States have a variety of systems — some better than others — but the voting machines and tabulating systems are generally not connected to the internet, which would be the vulnerability hackers would use to compromise the electoral system.
The Department of Homeland Security is unaware of any specific credible threat to the electoral systems, according to a law enforcement official.
Election databases are attractive targets to hackers because they contain personal information that can be cobbled together with other data to help criminals steal money.
DHS has offered to help states increase security of their systems, but states have rebuffed federal help and largely believe their systems are secure. DHS Secretary Jeh Johnson held a conference call recently to discuss whether DHS should declare electoral systems as critical infrastructure, which triggers more involvement from the federal government. States have resisted those moves.
In a statement, FBI spokesperson Jillian Stickels said, “While we cannot comment on specific alerts, what I can say is that in furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”
Illinois officials say it’s been a challenge to identify everyone whose records were compromised as they have to sort through the 109 jurisdictions that may have been affected. According to Menzel, they are working with the FBI and other law enforcement agencies to figure out who was responsible.
Menzel says the board is not concerned about the integrity of the voting system and does not expect the breach to impact the upcoming general election.
Illinois voting machines are not connected to the internet in any way, according to Menzel. Most voters in Illinois use an optical scan ballot but some jurisdictions do have touch screen machines to comply with Americans with Disabilities Act regulations. In some large counties, such as Cook County, at the end of the voting day, early unofficial voting results are reported back and sent via cell phone signal but they have encryption protection. Arizona largely uses paper ballots and also has touch screen machines.