Voter Data Exposed: 650,000 Voter Records Found On Auctioned Voting Machine

A voting machine sold on eBay was found to contain the personal information of more than 650,000 voters who cast votes in Shelby County, Tennessee.

The machine, an ExpressPoll-5000 electronic poll book from Election Systems and Software (ESS) used to check in voters on election day, was purchased with the intention of being used at the Black Hat hacker conference in Las Vegas.

Read: Voter Registration Data Breach: Unsecure Server Leaves Info On Nearly 200 Million Americans Exposed

While the machine, along with numerous others, were intended to be used to allow hackers to test the security of election equipment, the failure to wipe personal information from the machine served as a stark indication of just how poor security practices surrounding U.S. elections can be.

The electronic poll book was acquired via auction on eBay, where the U.S. government often sells decommissioned voting equipment. However, standard practice requires those machines be wiped of all voter information.

Instead, the personal records of 654,517 people who voted in the Memphis area were still intact in the machine’s memory. While the details of what information was accessible in the voting machine are unknown, many electronic poll books keep track of names, addresses, date of birth, political party, whether the person voted absentee, and whether they were asked to present identification.

The voter information is stored on a removable memory card. It can be accessed by removing the drive from the voting machine and inserting the card into a reader that can be accessed from a computer.

Read: US Election Hacked? Voter Rolls Altered, Data Stolen By Russian Hackers, Report Says

Josh Palmer, the security researcher who discovered the trove of voter records on the card, was able to access the file with a card reader and a laptop. There was no password protection required to access the file and the information was not encrypted in any way.

The card and its contents were confiscated by the conference in order to protect the voters included on the database. Shelby County officials were informed of the potential data breach. A representative for the county’s election commission told Gizmodo it is “aware of the allegations about the happenings at DEF CON, and we are currently looking into it.”

Even if the ExpressPoll-5000 would have been wiped clean of voter data, the machine carried a number of security vulnerabilities that would allow an attacker to potentially disenfranchise thousands of voters. A person with access to the memory card could mark voters as having already voted absentee, for instance, presenting them from casting a vote on election day.

If party affiliation is tracked by the machine, such an attack could target specific voters. Even without that information, it could be used to prevent voters from certain districts from voting based on address. Any form of such an attack would call into question the integrity of an election.

Security in other voting machines used at the Black Hat convention also did not inspire confidence. Hackers were able to exploit vulnerabilities in every machine presented —most within two hours and some in a matter of minutes.