Who Hacked Into Maricopa County’s Voter Files And What Data Did They Get?

data lock
Photo by Yuri Samoilov/Creative Commons)

Five weeks after the FBI seized several computer hard drives from a residence in Fountain Hills, the public still does not know why someone allegedly hacked into the Maricopa County Recorder’s voter database nor what information the hacker was able to extract.

On Nov. 5, Information Technology (IT) professional Elliot Kerwin signed a receipt for property seized from his condominium by the FBI who were acting under authority of a warrant issued by U.S. Magistrate Judge Michael Morrissey. The warrant permitted federal agents to search Kerwin’s home and vehicles for evidence of a conspiracy to commit computer intrusion from Oct. 21 through Nov. 4.

Computer intrusion is the fancy name for hacking.

County recorders across the state sell general voter data to the public all the time, as it is helpful to candidates, political parties, and marketing companies. However, voter data is heavily redacted before being released to the public.

For instance, a voter’s full date of birth is not released, only the year. Nor is a voter’s prior addresses within the county, their email address if on file, or the voter’s signature. All of which is highly prized by identity thieves and others with nefarious intentions.

IT expert John Backer of Zinatt told Arizona Daily Independent there are ways for cybersecurity specialists -and hackers- to access a full database without having access to an employee’s sign-in information. This is known as SQL injection and it can start with a simple search inquiry on a website.

That is why it is important, he said, to know why someone hacked into Maricopa County’s website and what they intended to do with the information. Some hackers are motivated by a challenge or paycheck, while others may be acting as good guys -or “white hats”- to point out a system’s vulnerabilities, Backer said. Then there are the “black hat” hackers who have an evil intent.

When news of the breach became public last month, spokeswoman Megan Gilbertson said the county’s IT Security department discovered the intrusion. Additional security controls were put in place “to mitigate against this activity occurring in the future,” she said.

However, neither the county’s Board of Supervisors, Elections Department, nor the Recorder’s Office has stepped forward to explain how the breach was discovered and what voter data was accessed. County officials have also not disclosed whether Penetration (or PEN) testing is utilized on a regular basis of its many systems.

Such testing is recommended, Backer explained, to ensure personal identifying information (or PII) is sufficiently protected.

“The apparent data breach involving Maricopa County’s voter rolls serves as a wake up call to government agencies, businesses and individuals across America and the world,” he said. “Organizations entrusted with PII have a duty and obligation to secure our data using an array of policies, technologies, and regular penetration testing to insure the information is secure against a world of evolving threats.”

The application presented by the FBI to the judge in support of the warrant has not been made public. On Nov. 16, a special agent filed the receipt for property seized with the court. It shows a number of computers, hard drives, USB, and SD/memory cards were removed.
A spokeswoman for the U.S. Department of Justice in Phoenix declined to comment on the search or a timetable for filing criminal charges, noting it is “part of an ongoing investigation.”

Business records show Kerwin was previously involved in computer tech companies in Wisconsin. He and Ellen Kerwin have owned the Fountain Hills property since late 2018.