Hackers demand ransom for California voter database

Hackers have deleted a database of potential California voters with more than 19 million entries, demanding around $3,500 to restore it.

Researchers at the security firm MacKeeper’s Kromtech research group first noticed the issue, but have not been able to identify the database’s owner to notify them. 

“We decided to go public to let everyone who was affected know,” said Bob Diachenko, head of communications for Kromtech. 

Kromtech primarily searches for misconfigured databases on cloud storage accounts that accidentally reveal private information to the public. In early December, they found a misconfigured database on an Amazon cloud account containing what appeared to be information on 19 million Californian citizens, including contact and mailing information as well as voting precinct information. 

A redacted sample of the files accessed by Kromtech.

But while the company was investigating the misconfigured files, they noticed the files were suddenly removed and replaced with a ransom note demanding 0.2 bitcoin, or about $3,500. 

Cloud storage accounts do not inherently list their owners. Often times, researchers like Kromtech will use the information from the exposed files to find and contact whoever controls the account to correct the security settings. 

{mosads}Kromtech had only had a chance to download one precinct’s worth of data before the ransom note appeared and did not have enough information to figure out who owned the account. Diachenko said Kromtech had contacted California Secretary of State Alex Padilla, who had similarly little luck finding the account holder. 

Padilla’s office confirmed to The Hill that they were investigating “unconfirmed” reports of an unsecured voter information database and had deployed law enforcement to help. The office stressed that the State’s systems had not been breached.

Many groups, including political consultants and advertisers, collect information on voters and potential voters. 

“We’ve seen this kind of ransom attack before,” said Diachenko, who noted that cybercriminals had been targeting the MongoDB platform used for this database since January of this year. 

The ransom note linked the attack to a group known as “cru3lty,” which Diachenko said Kromtech has seen in the past. Though bitcoin transactions are largely anonymous, the transactions from anonymous buyers and sellers are available for public view. Diachenko said that the bitcoin account connected to this ransom appears to have successfully taken a handful of ransoms in the past. 

Diachenko speculated that the size of the database would make it unlikely for the criminals to download and store a complete copy. Instead, he believes there is a good chance the files were immediately deleted and would never be restored even with a paid ransom. 

Kromtech, a division of MacKeeper, outlined the discovery in a blog posted Friday. 

With few leads to go on about who to contact about the database, it’s unclear if the victim is even aware its files have been pilfered. 

“We can only guess what happens next,” said Diachenko.