A US government voting machine, which was reportedly sold on eBay was found to contain personal and sensitive data of over 650,000 US voters. The machine was reportedly purchased by white-hat hackers for use at the Def Con hacker conference in Las Vegas. Although organisers believed that the voting machine, an ExpressPoll-5000, had been wiped clean of all data, the hackers instead found it contained sensitive data.
The data on the machine was reportedly not encrypted or password-protected. The data exposed included names, addresses, birthdays and political party affiliations. The data reportedly belonged to the residents of Shelby County in Tennessee.
Josh Palmer, a security researcher who first uncovered the database, which was stored on a removable memory card, told Gizmodo: "It's just on the drive. There was no password on it." He said that ES&S (Election Systems and Software), the manufacturers of the ExpressPoll-5000, "could have encrypted it", but "they chose not to encrypt it".
The memory card that contained the voter records was confiscated. A spokesperson of the Shelby County Elections Commission, Suzanne Thompson Cozza, said the commission was "aware of the allegations about the happenings at Def Con, and we are currently looking into it."
However, the voting machine data breach isn't the most alarming part, but the security of voter records. According to security experts, voting machines like the ExpressPoll-5000 could be manipulated by hackers to change the outcome of a vote.
For instance, if a hacker were to get his/her hands on the machine's memory card prior to the election, they could mark some or all voters as having already voted absentee, thereby blocking them from casting their actual vote. "I could write a script to do that in seconds," Palmer said.