A successful data breach is like hitting the jackpot for cybercriminals. These breaches typically allow shady outfits to acquire the personal and sensitive information of millions and sell them online for a quick profit.
This is why it’s important to be aware of the latest known breaches that are occurring around you.
Most known data breaches happen when a hacker manages to infiltrate an online database or a website with user records. But what if legitimately acquired information is being peddled and shopped around illegally online?
This is exactly what’s happening to millions of voter registration records across multiple states. Read on and see why this new cybercriminal scheme can be a threat, not just to you, but to the whole country, as well.
Voter data now available on the Dark Web
Now, this is quite troubling. The personal information and voting history of over 35 million U.S. voters were spotted to be on sale on a popular Dark Web hacking forum.
Cybersecurity researchers from Anomali Labs and Intel471 discovered the advertisements and they noted that this is the first of its kind.
“To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data,” said Hugh Njemanze, Anomali Labs’ CEO.
Data advertised in the cache reportedly includes the following:
- Full name
- Phone numbers
- Physical addresses
- Voting history (Note: This pertains to whether you voted on a certain election. This doesn’t indicate who you voted for.)
- Other unspecified voting data
Researchers from both Anomali Labs and Intel761 said that they have reviewed a portion of the database and they have “determined the data to be valid with a high degree of confidence.”
Based on a screenshot from Anomali Labs, here are the states listed in the forum post and their corresponding prices:
- Montana – $1000
- Louisiana – $5000 (3 Million Voters)
- Iowa – $1100
- Utah – 1100
- Oregon – $500
- South Carolina – $2500
- Wisconsin – $12500 (6 Million Voters)
- Kansas – $200
- Georgia – $250
- New Mexico – $4000
- Minnesota – $150
- Wyoming – $500
- Kentucky – $2000
- Idaho – $1000
- Tennessee – $2500
- South Dakota – $2500
- Mississippi – $1100
- West Virginia – $500
- Texas – $1300$ (14 Million Voters)
Based on this information, it appears that only three states — Louisiana, Wisconsin, and Texas — have listed voter headcounts, amounting to 23 million. However, Anomali Labs estimates that the entire breach may contain over 35 million records. The grand total for all 19 states? $42,200.
How does the seller acquire the data?
According to the Dark Web seller, they receive weekly updates of voter registration data from these states from… get this, contacts within the state governments. This suggests that there are government sources in these states that are actively giving away the information.
Certain states even require the seller to travel directly to locations in-state and receive the updates in person.
Keep in mind that voter registration data can actually be obtained legally at different costs at each state. (More on this later.)
This means that the data was not necessarily acquired via cyberattacks or online database infiltrations, but rather, it looks like the seller is trying to redistribute legitimately acquired voter data for a profit.
Is this data public or not?
As I mentioned earlier, these voter registration lists can be acquired legally in certain states by authorized organizations like journalists, researchers and political campaigns. Most states even consider basic voter registration data like full names, addresses, emails, and party affiliations as public records.
However, voter lists cannot be used for commercial purposes nor can they be republished and posted online.
So the question is this. Is the seller legitimately obtaining the data and reselling it online (highly unlikely) or is the data being intercepted and stolen from authorized groups like market researchers and political campaigns? Most probably.
If anything, the emergence of these voter registration lists from the affected 19 states highlights how unauthorized parties can obtain this data with relative ease.
Since they don’t follow the state rules and restrictions imposed on authorized data brokers, they are willing to redistribute the information for profit with total disregard for the law. (They don’t call them cybercriminals for nothing, right?)
How can this information be harmful to you?
Although most of the voter information included in this breach can be considered public and can be acquired for free in some states, this is the first time that it has been collected in one place and sold online.
When these voter lists are combined with other sensitive information from other data breaches (Social Security numbers from the Equifax breach, for example), cybercriminals can create full individual profiles that can be used for identity theft and election fraud.
In fact, with this data, malicious actors can disrupt the upcoming U.S. elections via physical address changes, deletion of voter registrations or absentee ballot requests for legitimate voters.
Is there a way to know if you’re part of the lists?
So is your name included in the breach? Unfortunately, since the data is still up for sale, the full reach nor the actual contents of the information is not fully known yet.
But a member of the Dark Web message board is currently organizing a crowdfunding campaign to raise the money to purchase each state’s voter registration list so the data can leak out sooner or later.
However, if you are a resident and a registered voter of any of the 19 states included in the list, it’s safe to assume that your information is part of the breach.
Like I said, voter information is publicly accessible anyway and the real danger is when this data is combined with the information from other breaches. Click here for one important step in protecting your Social Security number and identity.