Pennsylvania pulls plug on voter site after data leak
With voting in Pennsylvania's presidential primary just a month away, the state
was forced to pull the plug on a voter registration Web site Tuesday after it
was found to be exposing sensitive data about voters in the state.
The problem lay in an online
voter registration application form that was designed to simplify the task
of registering to vote. State residents used it to enter their information on
the Web site, which then generated a printable form that could be mailed to
state election officials. Pennsylvania's Department of State disabled the registration
form late Tuesday after being informed of the vulnerability by IDG News Service.
Because of a Web programming error, the Web site was allowing anyone on the
Internet to view the forms, which contained data such as the voter's name, date
of birth, driver's license number and political party affiliation. On some forms,
the last four digits of social security numbers could also be seen.
"Upon learning of this situation, the Department of State acted immediately
to disable the specific page," said Department of State Spokeswoman Leslie
Amoros in an e-mail message.
"The Department is reviewing the facts to determine how this information
became available," she said. "We are also taking all necessary steps
to correct the situation and are implementing processes aimed to prevent future
occurrences"
The flaw
was first reported by a reader of Digg.com, who stumbled upon the bug after
filling out a voter registration form.
"Being a security conscious programmer, I decided to test," wrote
the reader, identified only as mtg169, "Very bad PA...very very bad!"
The bug did not expose all registration data, just the information supplied
by those who used the Web site's online form. About 30,000 voter registration
records appeared to be available on the site.
"That's bad, really bad," said Jeremiah Grossman, chief technology
officer with Web security vendor WhiteHat Security. In an e-mail, he said he
hadn't seen this type of error on a voter registration Web site before, but
that it was caused by a common Web programming error. "We've seen a great
many vulnerabilities like this in the course of doing out work.
Many counties offer
online access to voter registration data, so that residents can check on
their status, but these databases typically remove data that could be misused,
such as date of birth, social security numbers and driver's license numbers.
The last four digits of a social security number are often used as a security
question, required to access certain types of billing accounts, and a skilled
identity thief could use a driver's license number, name and address in a check
forging scheme, according to privacy experts.
"There are so many alarming things about this," said Kim Alexander,
president of California Voter Foundation, which
has studied voter privacy across the U.S. "It just seems to be a case
where you have government agencies using sophisticated technology in thoughtless
ways."
With an important presidential primary set to occur in Pennsylvania on April
22, it's particularly worrisome that this data could have been accessed by anyone,
she added. "All kinds of dirty tricks could be played," she said.
"In heated campaigns we've seen cases where someone will call a whole bunch
of voters and tell them that the election date has been changed."
While states may make these databases available for political purposes, their
use is strictly controlled and sensitive information like driver's license numbers
is removed. With the data on the Web, this is no longer possible, Alexander
said. "You lose all those protections when you have this data available
on the Internet."
"It's unprecedented that this information would be so freely available
on the Internet," she added.
Ironically, with many voters already avoiding voter registration because of
privacy concerns, Pennsylvania's efforts to help voters may end up backfiring,
said Beth Givens, director of the Privacy Rights Clearinghouse "When word
gets out, it will be one of those things that will deter people from registering
to vote," she said.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
