In a disturbing discovery, security researcher Chris Vickery announced that he found a database of information on more than 191 million American voters from all fifty states available and exposed on the Internet due to an incorrectly configured database. The information includes the names, addresses, phone numbers, dates of birth and political affiliations of the people contained in the database. Chris Vickery, you may remember was the researcher who also recently found a similar data vulnerability with the Hello Kitty website. There is no indication at this time that the information had been accessed by identity thieves and scammers who could use the information to advance any number of illegal activities such as spear phishing to lure people into downloading keystroke logging malware that would enable the identity thief to steal the victim’s personal information from their computer and use it to make them a victim of identity theft. As I write this Scam of the day, the vulnerable database remains available online.
Generally, voter registration data is a matter of public record in most states. The various states have differing rules limiting the use of the data. For instance, South Dakota requires that such data not be provided to people for use commercially. Compiling all of the data from all of the states is a time consuming effort, but the effort is worthwhile for companies that gather the data and sell it to political campaigns to assist them in getting their message out in an effective and targeted manner.
This is just another example of the need for greater regulation regarding access to the vast amounts of personal information about us all that is so accessible in the computer age. This also serves as a warning to everyone to follow my motto of “trust me, you can’t trust anyone.” Scammers and identity thieves with access to personal information about you can tailor their messages and scams to make them appear more legitimate because of the information about you that they have, which is why you should never provide personal information such as credit card numbers, bank account information or Social Security numbers to anyone who contacts you unless you have confirmed that they are legitimate. Too often they may be a scammer or identity thief who is just using personal information he or she gained elsewhere to entice you into providing personal information under some legitimate sounding guise that will, in turn, be used against you to make you a victim of identity theft or the victim of a scam.