Voter information open to hackers

From the Tribune:

Voter information open to hackers

By John McCormick
Tribune staff reporter
Published October 23, 2006, 9:31 PM CDT

Chicago election officials said Monday they were forced to patch a
security flaw on their Web site after a candidate found a programming
error that had made private voter information vulnerable to theft for
at least five years.

Officials said the glitch never threatened the integrity of election
records. But they now have to determine whether anyone exploited the
opportunity to steal the Social Security and birth date information
from more than 780,000 registered voters in the city.

"We don't have any evidence that there was any theft," said Tom
Leach, a spokesman for the Chicago Board of Election Commissioners.
"But we don't want to be in a position where someone had their Social
Security and date of birth stolen."

Officials acknowledged that for the last five or six years it would
have only taken a few keystrokes for a knowledgeable computer user to
obtain the personal information for more than half of the 1.3 million
identities in the system.

Leach said that the error was fixed late Friday and that the Cook
County state's attorney has been informed of the situation and the
potential for identity theft. He said the board plans to hire a
computer forensics expert to determine if personal information was
stolen.

Leach said the private information was on the Web site because when
it was first created in the mid-1990s, users were allowed to search
for their registration by Social Security number. That option was
dropped in 2000 or 2001, he said, adding that since 2003 officials
have stopped collecting full Social Security numbers from new voters.

Until the bug was fixed, the private information could be viewed by
using a feature in a Web browser that allows the user to see the raw
data that underlie the page.

Leach said board chairman Langdon Neal also has ordered employees to
delete all but the last four digits of Social Security numbers in all
electronic files.

City officials said they were alerted to the problem by 43rd Ward
alderman candidate and community activist Peter Zelchenko.

Zelchenko said he first presented information about the problem to
election officials in August, but he declined to further discuss the
matter.

Leach said Zelchenko initially did not offer any specifics but simply
alluded to a general security problem with the Web site.

"On Friday, he finally called and we asked him to come in," Leach
said. "He was not blown off, if that is what he is implying."

Leach said officials fixed the glitch within hours of seeing
Zelchenko demonstrate the problem.

The Illinois Ballot Integrity Project, which said Zelchenko is one of
its members, publicized the incident in a news release Monday.

"This is only the online database, not the real database," said Bob
Wilson, the group's Cook County chairman. "But they didn't flush out
sensitive information that didn't need to be on the Web site."

Kelley Quinn, a spokeswoman for Cook County Clerk David Orr, said the
online database for suburban Cook County voters has only the last four
digits of Social Security numbers and that the office is not aware of
any similar security breaches.

"Our voter registration management system is a database that sits
behind the county firewall. It is password-protected just like the
sheriff, Circuit Court and county tax records," said Clem Balanoff,
director of elections for Cook County. "We're comfortable that this
provides the necessary security to protect our data."