Nearly 2 Million Voters Exposed in Latest Amazon S3 Error
Researchers this week discovered that personal data of over 1.8 million Chicago voters had been left exposed in a misconfigured Amazon Simple Storage Service (S3) bucket.
On Aug. 11, security firm UpGuard found backup files containing voters' personally identifiable information -- including names, addresses, dates of birth, driver's license numbers and the last four digits of their Social Security numbers -- in an Amazon S3 bucket that had been configured to allow public access.
The S3 bucket was part of an Amazon Web Services (AWS) account run by ES&S, a provider of election software and solutions that the Chicago Election Board first hired in 2014 to manage the city's voter check-in process.
In a report on Thursday summarizing the find, UpGuard noted that the data appeared to have been collected around the time of last November's general election and was "almost entirely downloadable to anyone accessing the bucket's web address."
ES&S took the S3 bucket offline on the evening of Aug. 12 after being alerted by UpGuard. In a separate statement Thursday, ES&S confirmed UpGuard's findings and said that it has "launched a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server."
UpGuard is no stranger to ferreting out compromised data stored on AWS. Earlier this summer, the firm discovered another S3 error that exposed the personal information of nearly 200 million voters. In that instance, the compromised S3 bucket was owned by a private analytics company that had been contracted by the Republican National Committee. The firm subsequently found similar S3 security holes exposing the personal data of Verizon account holders and Dow Jones customers.
In its report Thursday, UpGuard stressed the importance of ensuring the security of private data, particularly when the task of storing that data is outsourced.
"The danger of voter data being unwittingly exposed by private companies tasked with its storage remains a real threat, one that transcends any partisan concerns," the company wrote. "As more and more functions of daily life shift to a digital footing, so too grows the surface for a potential cyber attack, no matter whether this cyber risk is shifted off to a third-party vendor. Cyber risk is business risk, and a third party vendor's cyber risk is the main enterprise's business risk as well."
UpGuard also underscored the security risks posed by misconfigured S3 buckets, which have lately become a common occurrence.
"In the case of this breach, as well as others, this data was only exposed because the Amazon S3 bucket in question was configured to allow public access, permitting anyone accessing the repository's URL to download its contents," UpGuard said in its report. "AWS default settings are built to ensure that only authorized employees are able to access this data. Should this access configuration be changed, the IT enterprise in question must have processes in place to ensure such exposures are caught and remediated."
AWS itself has warned its customers directly to secure their S3 buckets after this summer's spate of security blunders. In addition, the company rolled out several improvements to its services earlier this week that are aimed specifically at securing S3.