[ISN] City loses voters' vital information

From: InfoSec News (alerts@private)
Date: Mon Jan 22 2007 - 23:17:21 PST


http://www.suntimes.com/news/politics/222892,CST-NWS-data22.article

By Art Golab
Staff Reporter
January 22, 2007

About 100 computer discs with 1.3 million Chicago voters' Social 
Security numbers have been distributed to aldermen and ward 
committeemen, and the whereabouts of at least an additional six CDs with 
the same information are unknown, according to the Chicago Board of 
Elections.

This follows another security lapse in October 2006, when voters' Social 
Security numbers were available through the board's Web site. But unlike 
the Web site flaw, which was fixed in a few minutes, it will be 
difficult, if not impossible, for the Board of Elections to retrieve 
sensitive data physically scattered on more than 100 discs throughout 
the area.

The discs also contain voters' birth dates and addresses -- information 
that along with Social Security numbers can be used to commit identity 
theft.

The board said that, so far, there has been no evidence of identity 
theft as a result of the lapse, but that -- as required by state law -- 
it will be notifying voters their Social Security numbers may have been 
compromised.

The latest leak of sensitive voter information was uncovered by 43rd 
Ward aldermanic candidate and technology expert Peter Zelchenko, who 
also discovered the Web site security hole last October.

"This information must be on campaign computers and in desk drawers all 
over the city," said Zelchenko.

Zelchenko discovered voters' Social Security numbers on a so-called 
"Ward Work" CD, which is supposed to contain voter names and addresses 
and is given on request to anyone affiliated with an aldermanic 
campaign.


'Grave doubts'

The board claims that only Zelchenko and one other aldermanic candidate 
mistakenly received the sensitive data since 2003. But in investigating 
queries from the Chicago Sun-Times, board officials found out about the 
other 100-plus CDs, spokesman Tom Leach said. Social Security numbers 
were inadvertently included on those discs, which were created by the 
board in the wake of the 2003 fire at 69 W. Washington, where it 
maintained computers with voter records.

"We couldn't maintain our voter-registration system, so they downloaded 
the whole file for committeemen and aldermen," Leach said.

Records on the CDs contain information about 2.2 million active and 
inactive voters, but only 1.3 million of the records contain Social 
Security numbers.

"This is a security gap of the highest order, but whether or not it 
represents any danger is completely unknown," said DePaul University 
computer scientist Jacob Furst, who heads the university's Information 
Assurance Center. "But you've got a whole bunch of these discs laying 
around. . . . I can imagine a whole bunch of awful scenarios."

And it worries Furst that the lapses occurred at an agency responsible 
for counting votes.

"It would, in my mind, cast grave doubts on electronic voting," he said. 
"My sense is that these are people with the best of intentions, but 
[they] don't know enough about the possible consequences of using 
technology and so are making mistakes."


Audit may be sought

But Leach said that because electronic voting is heavily monitored and 
every vote generates a paper record, the results will remain secure. He 
added that the board is likely to ask accounting firm Grant Thornton to 
perform an audit of all of its computer operations.

The firm is already working on a report on the October 2006 Web site 
leak.

Since October, complete Social Security numbers have been scrubbed from 
the election board's Web site.

Zelchenko has set up another site, www.re4m.org which registered voters 
can use to find if their Social Security or telephone numbers were 
exposed on these discs.

agolab (at) suntimes.com

Copyright 2007 Sun-Times News Group


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Jan 22 2007 - 23:27:39 PST