[Image via enterpriseiotinsights]

A new report suggests that several state voter registration files are available for sale on the “dark web”. The Associated Press has more:

Anomali researchers in close partnership with Intel 471, a leading cybercrime intelligence provider, have uncovered a widespread unauthorized information disclosure of US voter registration databases. Anomali and Intel 471 researchers discovered dark web communications offering a large quantity of voter databases for sale. The databases include valuable personally identifiable information and voting history. The disclosure reportedly affects 19 states and includes 23 million records for just three of the 19 states. No record counts were provided for the remaining 16 states, but do include prices for each state. We estimate that the entire contents of the disclosure could exceed 35 million records. Researchers have reviewed a sample of the database records and determined the data to be valid with high degree of confidence.

Of note, the seller indicates they receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments. Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum. [emphasis added – DMCj]

That last point is important; this data may not have been stolen via a “hack” but rather represents a misuse of voter files by an unauthorized party. Still, this threat – large files with voters’ personally identifiable information being offered for sale to individuals who may not respect state and local laws regarding what can (and cannot) be done with such information – is the kind of election cyberthreat that worries me the most. Much of our election cybersecurity focus to date has been on voting technology and election outcomes, but this scheme of treating voters’ information like stolen goods is, in my opinion, the greatest long-term threat to the integrity of our nation’s election system.

I look forward to seeing more on this story as the affected states seek to reclaim control over their data … stay tuned.