Security researchers disclosed this week the discovery of an unsecure database that exposed the personal information of nearly two million voters in the Chicago area.

The database, discovered by researchers at cybersecurity firm Upguard, contained voter names, addresses, phone numbers, driver’s license numbers and partial Social Security numbers of 1.864 million voters.

The data repository the information was stored in was owned and operated by the Omaha, Nebraska-based voting machine firm Election Systems & Software (ES&S). The information appeared to have been generated around the time of the 2016 general election for the Chicago Board of Election Commissioners.

Jon Hendren, the director of strategy at Upguard, made the discovery on August 11 when he found the the sensitive voter data housed in an Amazon Web Services S3 bucket—a term that simply means a place to store information. The database was configured for public access, which would allow anyone who knew the web address it was hosted at to be able to download the full contents of the database.

Ben Johnson, a former U.S. National Security Agency computer scientist and current chief technology officer and co-founder of Obsidian Security, told International Business Times the risk of data exposure increases with each additional party involved in the process.

“Every copy of data is a liability, and as it becomes easier, faster, and cheaper to transmit, store, and share data, these problems will get worse,” he said. “As contractors, partners and cloud providers get involved, the number of steps where data can be mishandled or the surface area for which to attack grows exponentially.”

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

The database operated by ES&S was secured within 24 hours of Upguard alerting the company of the issue, but it’s nearly impossible to say if Upguard’s researchers were the first to access the data—or what the intentions of others may have been.

“It’s hard to say malicious actors have found the data, but it is likely some were already hunting for it,” Johnson said. “Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data.”

The exposure of the ES&S server is just the latest case of personal records being exposed due to a misconfigured database. Earlier this year, Down Jones—the publisher of the Wall Str eet Journal—fell victim to a similar error that exposed sensitive personal and financial details of millions of its customers.

14 million customer records from Verizon, including account PINs, were exposed by a third-party company in July. Personal information of more than three million WWE wrestling fans was also discovered in an exposed database the same month.

Perhaps the most troubling example occurred earlier this year 200 million voter registration files that could be used to identify American voters were discovered on an unsecured Amazon server owned by Republican data analytics firm Deep Root Analytics. The database contained voter names, dates of birth, home addresses, phone numbers and voter registration details including party affiliation. The data sets also listed voter ethnicity and religion.