Pennsylvania pulls plug on voter site after data leak
Because the coming primary isn't fraught enough
IDG News Service - With voting in Pennsylvania's presidential primary just a month away, the state was forced to pull the plug on a voter registration Web site Tuesday after it was found to be exposing sensitive data about voters in the state.
The problem lay in an online voter registration application form that was designed to simplify the task of registering to vote. State residents used it to enter their information on the Web site, which then generated a printable form that could be mailed to state election officials. Pennsylvania's Department of State disabled the registration form late Tuesday after being informed of the vulnerability by IDG News Service.
Because of a Web programming error, the Web site was allowing anyone on the Internet to view the forms, which contained data such as the voter's name, date of birth, driver's license number and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen.
"Upon learning of this situation, the Department of State acted immediately to disable the specific page," said Department of State Spokeswoman Leslie Amoros in an e-mail message.
"The Department is reviewing the facts to determine how this information became available," she said. "We are also taking all necessary steps to correct the situation and are implementing processes aimed to prevent future occurrences."
"Being a security conscious programmer, I decided to test," wrote the reader, identified only as mtg169. "Very bad PA...very, very bad!"
The bug did not expose all registration data -- just the information supplied by those who used the Web site's online form. About 30,000 voter registration records appeared to be available on the site.
"That's bad, really bad," said Jeremiah Grossman, chief technology officer at Web security vendor WhiteHat Security Inc. In an e-mail, he said he hadn't seen this type of error on a voter registration Web site before, but that it was caused by a common Web programming error. "We've seen a great many vulnerabilities like this in the course of doing our work.
Many counties offer online access to voter registration data, so that residents can check on their status, but these databases typically remove data that could be misused, such as date of birth, Social Security numbers and driver's license numbers.
The last four digits of a Social Security number are often used as a security question, required to access certain types of billing accounts, and a skilled identity thief could use a driver's license number, name and address in a check-forging scheme, according to privacy experts.
- Top 12 Laptop Bags for Mobile Pros
- Think Deleted Text Messages Are Gone Forever? Think Again
- 7 New Faces of the C-suite
- 5 Ways CIOs Can Rationalize Application Portfolios
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts