Researchers discovered this week that the personal data of more than 1.8 million Chicago voters was exposed in a misconfigured Amazon Simple Storage Service S3 bucket.
Security firm UpGuard discovered backup files containing voter’s personally identifiable information on Aug. 11. This included names, addresses and dates of birth. The files were located in an Amazon S3 bucket that was set up to allow public access.
The S3 bucket was part an Amazon Web Services account (AWS), which was managed by ES&S. ES&S is a provider of election software solutions and solutions, which the Chicago Election Board first hired to manage the city’s voter check in process in 2014.
UpGuard published a Thursday report summarizing the findings. It noted that the data appeared have been collected around last November’s general elections and was “almost completely downloadable to anyone accessing bucket’s website address.”
After UpGuard alert, ES&S took down the S3 bucket on the evening of August 12. ES&S made a separate statement on Thursday to confirm UpGuard’s findings. It stated that it had “launched a thorough investigation with the assistance of a 3rd-party firm to conduct thorough forensic analyses of AWS server.”
UpGuard has a history of finding compromised data on AWS. The firm discovered another S3 error earlier this summer that exposed personal information for nearly 200 million voters. The compromised S3 bucket was actually owned by a private company that had been contracted to analyze data for the Republican National Committee.
The firm discovered similar S3 security flaws that exposed the personal data of Verizon account holders as well as Dow Jones customers.
UpGuard highlighted the importance of protecting private data in its Thursday report. This is especially true when data storage is outsourced.
The company stated that the danger of voter data being unwittingly exposed to private companies charged with its storage is a real threat and one that transcends any political concerns. “As more functions of daily life shift towards digitalization, so does the potential for cyber attacks, regardless of whether this cyber risk is transferred to a third party vendor.” Cyber risk is a business risk. The cyber risk of a third-party vendor is also the main enterprise’s business risks.
UpGuard also highlighted the security risks associated with misconfigured S3-bunks, which are becoming more common in recent years.
“In the case, as in other breaches, this data was only exposed due to the Amazon S3 bucket in issue being configured to allow public accessibility, permitting anyone accessing its URL to download its contents,” UpGuard stated in its report. “AWS default settings are designed to restrict access to this data to authorized employees. This access configuration must be maintained and updated by the IT enterprise concerned.
AWS has directly warned its customers to secure their S3 buckets following this summer’s security woes. The company also introduced several improvements to its services earlier in the week that are specifically aimed at S3.