Every time there's an election, the topic of hacking one comes to the surface. During a presidential election, that conversation gets louder. Yet, even the elections held every two years see some sort of vote hacking coverage. But can you really hack an election? Maybe, but that depends on your goals.
The topic of election hacking is different this year, and that's because someone is actually hacking political targets. Adding fuel to the fire, on Aug. 12, 2016, during an event in Pennsylvania, Donald Trump warned the crowd that if he loses the battleground state, it's because the vote was rigged.
"The only way we can lose, in my opinion -- and I really mean this, Pennsylvania -- is if cheating goes on," Trump said. This was no random remark either, Pennsylvania voting has been called in to question before. Such was the case when Republican supporters claimed Mitt Romney lost the state in 2008 due to fraud.
When it comes to hacking elections, most people imagine voting machines compromised in such a way that a vote for candidate 'A' actually counts as a vote for candidate 'B' – or the votes just disappear.
However, security experts who have tackled the topic of election hacking often come to a single conclusion, while the machines that process votes are riddled with vulnerabilities – 278 disclosed historically, none with a CVE ID assignment – they're not the problem. The real attack surface is the way voters are processed.
In a recent Privacy XChange Forum survey including 2,004 people, nearly 40 percent of those questioned said they were concerned about the amount of personal data in the possession of political parties and campaigns.
Earlier this year, CSO Online's Salted Hash, working alongside researcher Chris Vickery, broke the news that 191 million voter records were exposed due to database configuration issues.
A week later Salted Hash broke the news that a second database, holding details on 56 million voters, was exposed by similar database configuration breakdowns. Compounding the problem further, this second database contained targeted, issues-based details on 18 million people.
It is no small feat to steal an election but, it is not beyond the realm of possibility.
Dave Lewis, security advocate for Akamai
All of the information in the two databases came from the political parties, local election boards, and the voters themselves – who submitted it as part of a focused Q&A, donation questionnaire, or the data was collected from data brokers and public records.
Records like the ones exposed earlier this year are collected, sorted, sold, and shared among political operatives and campaigns; yet, every single record started out as a basic voter registration form.
Sign up for CIO Asia eNewsletters.