An Amazon Web Services (AWS) server containing files and sensitive information from registered voters in California was left exposed online , allowing it to be stolen and used by cybercriminals to extort a ransom.

The database was discovered by security researchers at Kromtech Security Center and contained at least 4GB of files, believed to be a collection of 19,264,123 voter records from the state of California.

The records contained a variety of sensitive information including full names, addresses, phone numbers, dates of birth and voting precincts of California citizens. According to the researchers, the database did not appear to contain Social Security numbers or any financial information.

Kromtech collected samples from the database earlier this year while scanning thousands of servers that were publicly available due to misconfigurations. By the time the researchers began examining the sample, the original database had been hijacked and deleted by cyber criminals, making it impossible to identify the original owner.

It is believed that the database containing California voter records was hit by a wave of ransom attacks that targeted vulnerable and public-facing databases. The spree hit more than 32,000 databases earlier this year.

The security researchers did discover a ransom note left by the attackers in the database that provides insight into what happened. After gaining access to the database, the cyber criminals demanded a payment of 0.2 Bitcoin (approximately $3,500 at Bitcoin’s current value) in exchange for the data being returned.

“Your DataBase is downloaded and backed up on our secured servers,” the note from the attackers read. “To recover your lost data: Send 0.2 BTC to our BitCoin Address and Contact us by email with your MongoDB server IP Address and a Proof of Payment. Any email without your MongoDB server IP Address and a Proof of Payment together will be ignored. You are welcome!”

A number of hacking groups have been identified as being behind these types of attacks. A group identified as Harak1r1 has been known to c arry out similar ransom schemes . Others that have been identified in the past include a group called Own3d and a collective that goes by 0704341626asdf.

A second, larger unsecured database was also discovered by Kromtech researchers. It contained 22GB of data and more than 409 million records that contain voting district information including county codes and registrant ID numbers.

The researchers theorized the second database is a complete collection of all California voter registration records.The California Secretary of State’s office has been informed of the discovery and told the researchers it is “looking into it” but has not provided any additional details regarding the apparent breach or investigation.

“This is a massive amount of data and a wake up call for millions citizens of California who have done nothing more than fulfil the civic duty to vote,” Kromtech Security Center’s Head of Communications Bob Diachenko said.

“This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown.”

RELATED STORIES
Security California Security Bitcoin