Originally published on www.iapp.org
April was a big month for information disclosures related to how governments protect the data of their country’s citizens. Turkey, the Philippines and Mexico each had information related to millions of their residents disclosed last month. Each countries’ security incidents has its own nuances relating to how the breach occurred, whether the data was already public, and the subsequent actions. For example, in Turkey, the communications minister said the leak initially occurred in 2010 and was an “old story.” In the Philippines, the Commission on Elections (Comelec) initially stated the data available was already accessible to the public. However, the data contained in the compromised database includes fields related to fingerprint data, which probably wasn’t meant to be accessible.
Recently, arrests have been made in the Philippines, although the initial suspect stated he only defaced the site, while others took data. In Mexico, the details on how the data was posted to Amazon Web Services (AWS) and who did it haven’t been made public, if it is known.
|Country||Incident||Number of Affected Citizens|
|Turkey||Decrypted database of Turkish National Police||50 Million|
|The Philippines||Anonymous Philippines Compromise of Comelec site||55 Million|
|Mexico||Found Voter Database on Amazon||93 Million|
Searchable voter records in the U.S.
While there are large databases of aggregated voter data in the U.S., the original records are owned by individual states. Voter information in most states is considered a public record, and thus subject to the regulations of such states and their local governments. Typically, a state will classify its voter data as unrestricted or for a particular purpose (i.e., electoral). Nearly every state has an Internet-facing website to search for voter records and, while the intent of the state in making such information available is generally not for commercial use, no uniform, adequate safeguards exist to prevent someone for using the data for unintended purposes. Even if the state law restricts use, not all states publish a formal warning on the site. By way of example, but not limitation, the State of Florida does have a clear disclaimer. The input search criteria vary from state to state, although often only first name, last name and date of birth are needed. Some states require a bit more information, such as driver’s license number and/or voter ID number, while other states require less, such as just first name and last name. Some states also optionally will accept last four digits of a Social Security number.
The future of public records
Voter records are just one example of a public record. Many states consider that public records are the property of the people (meaning their citizens). Births, marriages, divorces, census type data, certain tax related data and other records are often categorized as public records. Like voting records, many states, counties and municipalities make these records readily available to citizens through online databases. In fact, the output from a voter record search may include address, race, ethnicity, gender, or other information that may not seem relevant to voter data. It isn’t always easy to understand what is and what is not a public record and it is not always intuitive when reviewing state laws. Lists are non-exhaustive, and exceptions exist. Within a state’s legislation, there will frequently be a general statute about what is considered a public record (for example, see N.C. Gen. Stat. § 132-1 et seq.)Often, specific information from a department or information system may be listed as to whether such information is considered a public record according to this statute. An example can be conducted by searching for the term “public record” in the recent North Carolina budget bill. The search will identify public record references, typically exclusions, related to criminal records, anonymous tips, scholarship grants and more.
Increased demand for government transparency and open records, as well as budgetary constraints associated with the physical storage of paper records, imply that the recent trend of placing more information on the Internet will continue. Not only at the individual state level, but at the city and county levels as well. Many counties publish tax records related to real estate and personal property, which include things like motor vehicle taxes. Some counties have data freely searchable online that goes back 20 or more years. For individuals under the age of 40, there’s a decent chance the answer to a password reset question may be related to an individual’s make or model of their first car, which is now available online.
The next potential step, albeit a big step, may include income-tax records, which are quickly becoming an assumed disclosure requirement for politicians and those in certain positions. There are several countries, most notably Norway, that have made income-tax records searchable online. It should be noted that Norway has a long history of having income-tax returns categorized as a public record and that while income-tax data is searchable online, the actual return is not viewable. Additionally, over the last 15 years Norway has modified how long the records are viewable and whether individuals can be made known of searches. A recent research paper titled, “The Effects of Income Transparency on Well-Being Evidence from a Natural Experiment” covers some interesting aspects of Norway making the records accessible. There is no mention of potential security consequences in the paper (which is understandable as that isn’t the focus), but there are details on the number of users, searches and requirements. Initially, the site required no authentication; however, in 2013 a PIN and password were required. Even with the authentication requirements, which reportedly decreased the number of overall searches,17 million queries occurred in 2013. That is a fair amount of traffic from a population of just over 5 million, although the registered number of users of that application is closer to 1 million. The more users of a site, the higher the probability one or more of them is using the site with malicious intent. Sites without authentication are also more likely to be targeted, although this may not discourage a determined attacker.
Protecting Internet-searchable public records
As Norway has demonstrated with its authentication requirements, there are controls that can be implemented to protect public records. State and local governments’ budgets are limited and under scrutiny so there is a tendency to implement inexpensive and/or easy to maintain solutions. While governments may have requirements to protect confidential data, there isn’t much, if any, guidance around protecting public data. Given the prevalence around recent voter data and public records attacks, below is a non-exhaustive list of items government CIOs should consider:
- Formally classify the data so everyone knows what is public and remove any non-public data;
- Segment off the systems sharing public data to minimize the likelihood a breach in the public record search affects other confidential data;
- Tokenize or encrypt data at rest so a compromise of the application may not result in a full disclosure of the database contents;
- Use the latest transport layer security (TLS) protocol (i.e. TLS v1.2) to encrypt transmissions so organizations do not unwittingly store data that is public, but restricted;
- Perform penetration tests of applications before placing them online to identify vulnerabilities early and conduct vulnerability scans frequently;
- Consider bug-bounty programs to leverage a larger security community of researchers;
- Ensure an incident response program includes data breach preparations;
- Place warnings on the website so there is no uncertainty about the intended use;
- Enable logging and monitoring controls to identify potential abuses in usage; and
- Implement controls to minimize the potential to enumerate the entire database, for example.
A system that searches for a public record, but requires authentication — from a dedicated kiosk that is not Internet facing — is technically feasible. Such a system presumably would still meet the letter of the law, as generally public records are not required to be searchable on the Internet. Alas, the connection between public records and Internet searchable information will continue to grow. Unless governments begin considering the ramifications of legislation related to public records and the implementation of technology to support that legislation, breaches like those experienced last month will undoubtedly continue to occur.
About the Author
Matt Wilgus is a Practice Director at Schellman & Company, Inc. Matt leads the Security Testing and Assessment offerings. In this role he heads the delivery of Schellman’s penetration testing services related to 3PAO and PCI assessments, as well as other regulatory and compliance programs. Matt has over 19 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities, in addition to extensive experience enhancing client security programs while effectively meeting compliance requirements.More Content by Matt Wilgus