|
|
http://www.suntimes.com/news/politics/222892,CST-NWS-data22.article
By Art Golab
Staff Reporter
January 22, 2007
About 100 computer discs with 1.3 million Chicago voters' Social
Security numbers have been distributed to aldermen and ward
committeemen, and the whereabouts of at least an additional six CDs with
the same information are unknown, according to the Chicago Board of
Elections.
This follows another security lapse in October 2006, when voters' Social
Security numbers were available through the board's Web site. But unlike
the Web site flaw, which was fixed in a few minutes, it will be
difficult, if not impossible, for the Board of Elections to retrieve
sensitive data physically scattered on more than 100 discs throughout
the area.
The discs also contain voters' birth dates and addresses -- information
that along with Social Security numbers can be used to commit identity
theft.
The board said that, so far, there has been no evidence of identity
theft as a result of the lapse, but that -- as required by state law --
it will be notifying voters their Social Security numbers may have been
compromised.
The latest leak of sensitive voter information was uncovered by 43rd
Ward aldermanic candidate and technology expert Peter Zelchenko, who
also discovered the Web site security hole last October.
"This information must be on campaign computers and in desk drawers all
over the city," said Zelchenko.
Zelchenko discovered voters' Social Security numbers on a so-called
"Ward Work" CD, which is supposed to contain voter names and addresses
and is given on request to anyone affiliated with an aldermanic
campaign.
'Grave doubts'
The board claims that only Zelchenko and one other aldermanic candidate
mistakenly received the sensitive data since 2003. But in investigating
queries from the Chicago Sun-Times, board officials found out about the
other 100-plus CDs, spokesman Tom Leach said. Social Security numbers
were inadvertently included on those discs, which were created by the
board in the wake of the 2003 fire at 69 W. Washington, where it
maintained computers with voter records.
"We couldn't maintain our voter-registration system, so they downloaded
the whole file for committeemen and aldermen," Leach said.
Records on the CDs contain information about 2.2 million active and
inactive voters, but only 1.3 million of the records contain Social
Security numbers.
"This is a security gap of the highest order, but whether or not it
represents any danger is completely unknown," said DePaul University
computer scientist Jacob Furst, who heads the university's Information
Assurance Center. "But you've got a whole bunch of these discs laying
around. . . . I can imagine a whole bunch of awful scenarios."
And it worries Furst that the lapses occurred at an agency responsible
for counting votes.
"It would, in my mind, cast grave doubts on electronic voting," he said.
"My sense is that these are people with the best of intentions, but
[they] don't know enough about the possible consequences of using
technology and so are making mistakes."
Audit may be sought
But Leach said that because electronic voting is heavily monitored and
every vote generates a paper record, the results will remain secure. He
added that the board is likely to ask accounting firm Grant Thornton to
perform an audit of all of its computer operations.
The firm is already working on a report on the October 2006 Web site
leak.
Since October, complete Social Security numbers have been scrubbed from
the election board's Web site.
Zelchenko has set up another site, www.re4m.org which registered voters
can use to find if their Social Security or telephone numbers were
exposed on these discs.
agolab (at) suntimes.com
Copyright 2007 Sun-Times News Group
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn