19 Million California Voter records held for ransom attack on a MongoDB instance

Voter registration data for more than 19 million California residents stored in an unsecured MongoDB instance has been deleted and held for ransom.

Voter registration data for more than 19 million California residents that was stored in an unsecured MongoDB database has been deleted and held for ransom by attackers.

The incident was discovered by researchers at Kromtech, it is the last of a long string of ransom attacks targeting unsecured MongoDB database.

“In early December Kromtech security researchers discovered an unprotected instance of MongoDB database that appear to have contained voter data. The database named ‘cool_db’ contained two collections and was available for anybody with Internet connection to view and/or edit.One was a manually crafted set of voter registration data for a local district and 
the other appeared to contain the entire state of California with 19,264,123 
records, all open for public access.” reported Kromtech.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.” 

The attack sequence is similar to other hacks, the attacker scanned the internet for unsecured MongoDB databases, found this one containing the voter data, wiped the data in the archive and left a ransom request for 0.2 Bitcoin ($3,582 US at the current price).

Kromtech researchers were not able to identify the owner of the database because crooks deleted the content of the archive, they only analyzed stats data as well as a few records sample extracted from the database shortly before it has been wiped out.

 It is impossible to determine if the attacker made a copy of the data before wiping the MongoDB database or if other hacker groups found and made a copy of the voter registration database before it was deleted.

“It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (“cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.” states Kromtech.

In June, security firm UpGuard found an Amazon S3 bucket containing the details of 198 million US voters.

Once in the hands of crooks, voter data could end up for sale on the Dark Web, in June 2016 a seller using the pseudonym of ‘DataDirect’ offered US voters’ registration records on the darknet marketplace “The Real Deal.”