Voter records from 19 states are for sale on underground hacker forums, according to research from Anomali and Intel 471 published Monday.
The discovery highlights hackers’ ongoing interest in exploiting voter data — and certainly marks unauthorized use of the data — but the incident doesn’t necessarily represent a breach. While the records are being illicitly sold, they’re not necessarily illicitly obtained. In many states, basic voter information, like name, address and party affiliation are public records. However, there are varying restrictions around who is allowed to obtain them, sometimes being limited to journalists, researchers or political campaigns.
The researchers estimate the vendors are offering more than 35 million records from the following states: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming.
The report says the price for a state voter list ranges from $150 to $12,500. It’s not entirely clear why there’s such a huge disparity, but data from some states might be harder to get than others. According to the report, the seller has physically traveled to certain states to obtain the data and receives periodic updates on new data from contacts within state governments. The total price for the 19 lists is $42,200.
“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” the report says.
According to Anomali and Intel 471, users have organized on the hacker forum to crowdfund the cost for some of the listed data. The researchers say the database for Kansas was already available to the forum’s members when the report was published.
The report offers a few examples of potential malicious applications of the voter data, like changing voter registrations to prevent someone from voting. However, officials say voters can always request a provisional ballot if there is a technical problem at the polls. More likely, the data (if genuine), can be used for identity fraud when combined with other data.
“When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate,” the report says.
The researchers say this represents the first instance of cybercriminals illicitly exchanging 2018 voter registration data. In July, it was reported that hundreds of thousands of voters’ records were left exposed by a Virginia robocalling firm due to a misconfigured server.