On Monday, Arizona officials confirmed reports that a voter registration database in the state has suffered a hack after a notice was sent to elections officials around the country. Illinois’ voter registration database was also breached.
Authorities believe no personal information has been compromised.
Jamie Winterton, director of Strategic Research Initiatives at Arizona State University’s Global Security Initiative, told ASU Now, that the biggest risk was voter trust in the electoral system.
Winterton said the breach “wasn’t on the voting machine software itself, but on the registration databases in Arizona and Illinois. Most of the information in the database is publicly available, so it’s not terribly concerning from an identity-theft perspective. What is worrisome, however, is that the voter database guides who is — and who is not — allowed to vote. With the possibility that Arizona will be a swing state this year, removing even a small percentage of voters from the database could swing the result.”
According to Mother Jones, “On August 18, state elections officials received a “Flash,” a notice sent by the FBI to various relevant parties, titled “Targeting Activity Against State Board of Election Systems.” The FBI reported that it had received reports of an additional IP address—a unique series of numbers that identifies every device that connects to the internet—within the logs of one state’s board of election’s system in July, and then another attempt at breaking into a separate state’s system in August.”
Winterton told ASU Now that the “attackers used something called SQL injection. SQL stands for Structured Query Language; it’s how many databases are managed. When you type information into a box on a website — a username and password, for example — that website is probably using SQL to facilitate the conversation between you and the database, to make sure you have an account and the right credentials to access it. During a SQL injection attack, though, a hacker will type code into the box instead of a username, in an attempt to control the database. If the website doesn’t check to make sure that the inputs are valid, the code gets passed through to the database and can do things like dump information or allow modifications of the database.”
Winterton says there is an easy fix such as “creating rules against nonsensical inputs — no one’s name has a “=” in it, for example — goes a long way towards protecting against SQL injection attacks.”
Yahoo News quoted a cybersecurity expert that claimed one of the IP addresses had “surfaced before in Russian criminal underground hacker forums.