Georgia voter records found exposed on internet by researcher
A security researcher disclosed a gaping security hole at the outfit that manages Georgia’s election technology, days before the state holds a closely watched congressional runoff vote on June 20.
The security failure left the state’s 6.7 million voter records and other sensitive files exposed to hackers and may have been left unpatched for seven months. The revealed files might have allowed attackers to plant malware and possibly rig votes or wreak chaos with voter rolls during elections.
Georgia is especially vulnerable to such disruption, as the entire state relies on antiquated touchscreen voting machines that provide no hardcopy record of votes, making it all but impossible to tell if anyone has manipulated the tallies.
The true dimensions of the failure were first reported Wednesday by Politico Magazine. The affected Center for Election Systems referred all questions to its host, Kennesaw State University, which declined comment. In March, the university had mischaracterized the flaw’s discovery as a security breach.
Logan Lamb, a 29-yearold Atlanta-based private security researcher formerly with Oak Ridge National Laboratory, made the discovery last August. He said he decided to go public after the publication last week of a classified National Security Agency report describing a sophisticated scheme, allegedly by Russian military intelligence, to infiltrate local U.S. elections systems using phishing emails.
The NSA report offered the most detailed account yet of an attempt by foreign agents to probe the rickety and poorly-funded U.S. elections system. The Department of Homeland Security had previously reported attempts last year to gain unauthorized access to voter registration databases in 20 states — one of which, in Illinois, succeeded, though the state said no harm resulted.
It also emboldened Lamb, who felt the election center had not been serious enough about security, to come forward with his findings.
Lamb discovered the security hole — a misconfigured server — when he did a search of the Kennesaw State election-systems website. There, he found a directory open to the internet that contained not just the state voter database but PDF files with instructions and passwords used by poll workers to sign into a central server used on Election Day. Lamb said he downloaded 15 gigabytes of data, which he later destroyed.
“It was an open invitation to anybody pretending to even know a little bit about computers to get into the system,” said Marilyn Marks, an election-transparency activist whose Colorado-based foundation participated in a failed lawsuit that sought to bar the use of paperless voting machines in next week’s election, in which firsttime candidate Jon Ossoff, a Democrat with a national security background, and his GOP opponent, former Georgia Secretary of State Karen Handel, are running.