Election databases have emerged as attractive targets for hackers, as they have already infiltrated systems in at least two states, Illinois and Arizona.
The number of attempts by cyber criminals to compromise these databases are likely to accelerate, said Tom Landesman, a threat researcher at Cloudmark, a San Francisco-based provider of intelligent threat protection.
"A spattering of similar events, such as the misconfigured NationBuilder server accidentally exposing full voter history of nearly 200 million U.S voters in 2015, led by these two recent occurrences in Illinois and Arizona, suggest that these records continue to be a target," he said.
Since the voting registration and ballot system are separate systems in many states, hackers who are able to dig out the registration data are not likely to be able to enact much damage and influence an election, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.- based provider of advanced threat detection and defense solutions.
The hackers will breach online voter registration systems through spear phishing of email or even Denial of Service attacks against specific websites, said Joram Borenstein, a vice president of marketing of NICE Actimize, a New York-based financial crimes software solutions provider.
Why Hackers Are Drawn
Scammers are always drawn to attaining additional personal information to steal identities or to resell on the Darknet. Breaches into databases remain the "largest" source of stolen personal records, Landesman said.
"It's also possible that a foreign group with interests in the U.S. political system may have been probing for ways to manipulate voting systems, though this theory is less likely," he said. "Whether or not it has the best ROI is debatable."
Compromises to other states have likely already occurred, according to the FBI, said Dan Lohrmann, chief security officer of Security Mentor, a Pacific Grove, Calif.-based security awareness training provider.
"Not all data breaches are created equal, nor do these issues rise to the level of compromising an election's integrity," he said.
The data is available to be purchased in several states already on websites such as www.ocvote in California, which offers information such as 'Registered Voter File by Area,' 'Voter File by Area,' 'Master Street File,' 'Statement of Votes Cast,' said Lohrmann.
Many users obtain the data for legitimate uses for campaigning, but flushing out the data through hacking would result in bypassing the "normal payment processes set up by governments," he said.
Even if the intent of the hackers is to merely "sow mistrust, discontent, discord and raise 101 questions over the election cycle," targeting the elections systems will help them succeed in their efforts, said Roberts.
"I don't have to actually succeed in hacking them, just sow enough doubt into the minds of the people that the 'democracy' they live in is faulty," he said. "What better way to do that than to simply demonstrate that portions of the electronic means of counting votes is rigged or can be compromised."
Hacking these databases will not be difficult because the criminals only need to wait for mistakes or miscalculations to occur, Roberts said.
"We have the code to the older Diebold systems which were a mess, but they've improved-ish," he said. "There are flaws in those systems, but you would need a concert effort to pull it off by a large team across multiple locations."
Since election databases often store not only the name, address and party affiliation, there is also driver license and some partial data on their social security number, which is offering the credentials on a silver platter, Roberts said.
With this set of credentials, the scammer can easily build "you" and open bank accounts in your name and of course, even commit fraud in your name, he said.
"I can get traffic tickets in your name," Roberts said. "I can then commit health care fraud in your name, and I can sell your information several times over. Now 'you' have value to me and if there's a whole database of those people, I have made my quota for a while."
How to Prevent Hacks
Since state government qualified voter files are backed up and verified regularly, the accuracy of the data is confirmed before the lists are issued to polling places. Even if a breach occurs, any discrepancies in the number of qualified voters or changes in names or addresses can be "easily identified and corrected," said Lohrmann said.
"Illinois, Arizona and other states still have time to recheck the voter data to ensure trustworthiness of their votes," he said. "Note that these lists are always being legitimately updated to add and delete voters in all states."
While basic voter registration information is low risk, the threat appears when cyber criminals merge together multiple sources of data from open sources and breached voter data, which could create "higher value identity theft against individuals," Lohrmann said.
Change your passwords and churn your credit card provider once a year after you prepare your tax return, because it will lower your odds of being scammed, said Carl Herberger, vice president of security solutions at Radware, a Tel Aviv, Israel-based cyber security company.
"While making all of these changes is a lot of work, in the long run it will serve you well as the effectiveness of different security models can decay over time," he said.
Avoid and limit the usage of websites without two-factor authentication such as a security token or biometrics such as fingerprints or voice recognition which leverage geo-location, Herberger said.
"The more you can combine these attributes to authenticate into a website or mobile app, the more secure it is," he said. "Turn your computer off when you are not online because one can't access a computer which is off."
Years of consumers remaining complacent about cyber security and not demanding more from companies has led to easy access for criminals, said Roberts.
"The pessimist in me wants to say 'not much,' because you've had plenty of opportunity to do things over the last 15 years of this mess," he said. "However, you still shop at Target, you still get your health care from Anthem and you still trust the banks."
Consumers should adopt a proactive stance by not shopping at places that lose their data or changing bank accounts. Instead, they simply wait for another credit card to appear, Roberts said.
"If consumers actually care about the situation, they should stop shopping at the stores that get hacked," he said. "They need to pay attention to the hacks and start to actually question the doctor when they want all of your information and walk out of the doctor's office when they can't tell you exactly how they protect your data."
The most common forms of identity theft are synthetic identity fraud, account takeover fraud and new account fraud in financial, medical and telecommunications accounts, said Borenstein.
"When one's personal information is stored in an organization's or business' database or repository, there is normally not a great deal that one can do since one has to rely on the other group having appropriate security and risk controls in place," he said.