Illinois voter registry breach smaller than first thought

State election officials suspect hackers stole the personal information of 86,000 voters, not 200,000 it first suspected. 

An admission by an Illinois election official last week that hackers stole the personal information of 200,000 voters incited worries about how to safeguard the Nov. 8 elections across the country.

It turns out the breach was smaller than the state had thought, according to an update from the Illinois State Board of Elections.

The board suspects hackers viewed the records of 86,000 voters, according to an Aug. 31 press release. The board confirmed 700 of those records had been viewed. Hackers could have breached voters’ names, address, and dates of birth. If a voter listed it, hackers could have also viewed his or her phone number, email address, driver’s license number, or the last four digits of his or her Social Security number.

“[But] the board is sure no records have been altered or changed in any way,” reads the release.

Along with the leak of Democratic National Committee emails in June, news of breaches of the Illinois and Arizona voting systems has led to concerns about how to protect the integrity of future elections. But, the board’s update underscores state and federal officials still don’t know these hackers’ motivations and how credible a threat they pose.

“We don’t know whether the hackers were engaging in espionage, attempting to manipulate the election, or just harvesting low-hanging cyber fruit for their financial gain,” Jessica Beyer, a cybersecurity postdoctoral fellow at the University of Washington, and author of “Expect Us: Online Communities and Political Mobilization,” writes in a column for Reuters.  

“Neither the DNC nor the voter registration attacks,” she adds, “should come as a surprise. With so many actors, motives, and targets, cyber attacks are inevitable.”

When Illinois officials became aware of a breach in July, they shut down their voter registration system for 10 days.

“This was a highly sophisticated attack most likely from a foreign [international] entity,” Kyle Thomas, director of voting and registration systems for the state board of elections, wrote in a Facebook message sent that month to all election authorities in the state.

With an FBI investigation into the breach ongoing, the board in Illinois is now “confident” no information in the database was added, changed, or deleted, and many of the voter records viewed contained information otherwise publicly available from other sources, according to the Aug. 31 release.

In Arizona, meanwhile, it appears hackers used malware steal the username and password of just a single election official in Gila County, according to The Washington Post.

Yet, because hackers could, in theory, sway elections, state and federal officials aren’t taking any precautions.

“Having access to voter rolls, for example, could allow hackers to digitally alter or delete registration information, potentially denying people a chance to vote on Election Day,” writes Politico’s Cory Bennett and Eric Geller. “Or news of the attack could simply fuel further distrust in the U.S. election system, which Trump has repeatedly alleged is ‘rigged.’ ”

The White House, FBI, and Department of Homeland Security have all taken steps to understand this threat. The White House has ordered a Cold War-era organization, the Foreign Denial and Deception Committee, to perform a classified study of the implications of Russia’s recent hack of the DNC, according to NBC News. The FBI and Department of Homeland Security have also warned all election officials of the threat of possible cyber threats, and have offered their assistance to these state entities to protect their systems.

Cybersecurity experts have also warned that electronic voting systems are an easy target for hackers, as The Christian Science Monitor’s David Iaconangelo reported Thursday. But, 35 states backup ballots through an electronic paper trail, allowing election officials to cross-reference electronic voting records with physical ones. But the Verified Voting Foundation says five states – N.J., Delaware, Louisiana, Georgia, and South Carolina – lack such a system. 

These concerns shouldn’t come as a surprise, however. Ms. Beyer, the cybersecurity postdoctoral fellow, writes it’s the age we live in.

“These records attacks highlight the need for every organization that manages private data to work harder at making it secure,” she writes. “Whoever the actor and whatever their motive, the world is rich with appealing data targets.”