DHS Downplays Report That Data Thieves Are Selling Millions of Voters’ Data

Various data on up to 35 million U.S. voters as many as 19 states is for sale online, according to a new report from a pair of cyber security research firms. But the Department of Homeland Security says that’s nothing new: much of the data is either public or available for purchase from state and local governments.

An Oct. 15 report from cybersecurity research firms Anomali Labs and Intel471 makes a big claim: “To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history.”

It says that on Oct. 5, voter registration records for Texas, Georgia, and at least 17 more states were offered for sale on the popular dark web hacking forum “Raid Forums” by a  “known illicit vendor”: a figure named "Downloading,” a likely alias for an administrator on the forum. The data purportedly includes names, addresses, voting history, and “other data” according to the statement. The price? Cheap, starting at $150 for some states and reaching as high as $12,500.

“DHS is aware of the report. It is important to note that much of information purportedly being sold is available in most states either publicly or commercially,” a DHS spokesman said in an email  “It does not appear that this data is indicative of a successful breach of state or local election infrastructure.”

It’s a familiar line from DHS: your voter registration data is more open than you realize, and that’s not necessarily a threat to election security.

“It’s actually fairly easy to get [voter registration] data. In most states, you can buy the data. It’s not that we’re worried about losing the data. What we are worried about is manipulation of the data,” Homeland Security Undersecretary Jeanette Manfra told a crowd at the DEFCON cybersecurity conference in Las Vegas, Nevada, in August.

Roberto Sánchez, a representative from Anomali Labs, acknowledged that the lists on offer from Downloading “were the same or nearly equivalent to the prices of the public database lists.”  But that doesn’t mean the use of the data was authorized. “The majority of states mention the voter lists can be purchased for political activities only,” said Sánchez. “The voter data lists that they are offering are available to authorized parties for a fee, so they won’t necessarily be available to the public at large as well as free of charge.”

It’s another example of how easy it is for personal data to wind up for sale by actors who may wish to target individuals with messaging or influence operations. But that’s different from a threat against actual voting infrastructure or one that could meaningfully change votes.

In August, Manfra addressed a wide variety of threats to U.S. voting systems and processes, as, just down the hall at Caesar’s Palace, teenagers hacked voting machines to demonstrate how easy it was to break in and manipulate data. Bottom line: she said that while the security of individual voting machines leaves much to be desired, the chances of individual attackers physically manipulating enough of them to change a vote outcome was low to zero. The fact that so many states and jurisdictions have different processes and systems makes a nation-wide vote manipulation effort much harder. And while the widespread purging of voters from rolls does represent a concern, she said, it’s one of public perception, not vote outcome.

If attackers were able to purge voter information from rolls, the result would be confusion and fear at the appearance of a breakdown in the voting system. It would create “discord and … some lack of confidence. It would be something along the lines of creating longer lines,” she said. But even then, the hack would not affect the vote directly, so long as enough people understood that they could still use a provisional ballot, she said.

“Every jurisdiction in this country is required to have a provisional ballot so even if there is some confusion about whether you are allowed to vote, you’re still allowed to cast a provisional ballot and then the administrators will go back and determine if that was appropriate,” Manfra said.

Manfra said that the threat against U.S. election systems, including roll purging by hackers, was lower than it was during the last presidential election. “We aren’t seeing the targeting that we did see in 2016,” she said.

In their statement on Monday, DHS said that “As part of our ongoing partnership with state and local election officials to improve election resilience, we are engaged with all 50 states and have the ability able to rapidly communicate with any election jurisdiction to provide alerts or incident response. DHS also offers assistance to political entities, including individual campaigns, and has engaged with both national campaign committees, offering training and services.”