198 million Americans hit by voter records leak should get immediate credit freeze: experts

The 198 million US voters whose personal data was left on an unsecured server for anyone to access should request an immediate credit freeze to avoid having their identities stolen as a result of the breach, security experts have said.

“The members of the electorate involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts,” advised Robert Capps, VP of business development at NuData Security.

The data, which includes personal data and information on who each person is set to vote for and why, is thought to be the largest ever exposure of voter data, covering the vast majority of the 200 million people registered to vote in the US.

It was left on an open Amazon S3 storage server by Deep Root Analytics, a Republican data analytics company, and was discovered by Chris Vickery, a cyber risk analyst from UpGuard.

At present there does not appear to be a way in which individuals can check if they were affected, but anyone registered to vote in the US is likely to be at risk.

Graphic courtesy of UpGuard

While the focus of the data was voting behaviour, containing information on the subject that goes back over a decade, voters should be more concerned about how their data could be used for more malicious purposes.

“This is a serious data leak, which allows nation states to target ordinary US citizens for additional attacks and surveillance, as well as detailed voting information,” said Capps.

“If this wasn’t bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals.

“Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit, and much more.”

People cast their votes in the 2012 presidential election in Ventura Country, CA. Image courtesy of Joseph Sohm / Shutterstock.com

While the risk to those affected is similar to previous leaks, this is not a leak or hack in the classic sense, but instead a matter of poor security practices.

“It sounds to me that this is another case of incorrectly secured cloud based systems,” explained Terry Ray, chief product strategist at Imperva.

“Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.“

UK and French governments ready fines for tech firms who don’t search and destroy “terrorist content”

French president Emmanuel Macron and current UK prime minister Theresa May have announced a joint initiative that will see tech companies penalised for failing to remove content.

Plans drawn up by the two premiers include exploring the possibility of creating a new legal liability for tech companies if they fail to remove content, which could see companies being fined for failing to take action against criminal and terrorist content.

“The counter-terrorism cooperation between British and French intelligence agencies is already strong, but president Macron and I agree that more should be done to tackle the terrorist threat online,” said May.

“In the UK we are already working with social media companies to halt the spread of extremist material and poisonous propaganda that is warping young minds.”

Theresa May, UK Prime Minister. Image courtesy of Frederic Legrand – COMEO / Shutterstock.com

The prime minister and president Macron have also stressed the need for tech firms to urgently establish an industry-led forum, which was originally agreed at the G7 summit last month.

The two countries and their leaders want tech companies to work together to develop shared technical and policy solutions that will tackle terrorist content on the internet.

“Today I can announce that the UK and France will work together to encourage corporations to do more and abide by their social responsibility to step up their efforts to remove harmful content from their networks, including exploring the possibility of creating a new legal liability for tech companies if they fail to remove unacceptable content,” said May.

Image and featured image courtesy of Frederic Legrand – COMEO / Shutterstock.com

Theresa May has been criticised in the past for seeking to create a legal liability that could force tech companies to monitor all online activity.

“The kneejerk ‘blame the internet’ that comes after every act of terrorism is so blatant as to be embarrassing,” said Paul Bernal, a law lecturer at the University of East Anglia, in an interview with the Guardian.

However, despite concerns that her approach is heavy-handed, in announcing the possibility of creating a legal liability May remained as steadfast as ever.

“We are united in our total condemnation of terrorism and our commitment to stamp out this evil,” said May.