Cyber security firm UpGuard discovered the database which included voter names, addresses, phone numbers, driver’s licence numbers, and partial Social Security numbers. The database was operated by Omaha-based voting machine firm Election Systems & Software.
It appeared to have been produced around the time of the 2016 general election for the Chicago Board of Election Commissioners, an ES&S customer since 2014, the company said.
The data was found by UpGuard's director of strategy Jon Hendren.
It was located at the AWS S3 subdomain “chicagodb”, and the main repository had two folders: “Final Backup_GeneralNov2016” and “Final Backups_6_5_2017,” .
There was also a 12GB MSSQL database file. Many filenames indicated the name of ES&S, a prominent US provider of voting machines and associated software.
He analysed the data and found that it consisted of a 12GB file, a 2.6GB file and a 1.3GB file stored in each folder.
Each was a separate copy of a database containing the personal information of 1.864 million Chicago voters. The affected municipality was notified and the repository was secured on 12 August.
"While the databases contain a large number of SQL tables, with filenames including such phrases as 'BallotImages', 'polldata_summary', and 'pollworker_times', of perhaps greatest interest is the table set titled 'dbo.voters'," UpGuard said.
"This dataset lists the 1.864 million Chicago voters, each assigned a unique, internal voter ID, as well as their names, addresses, dates of birth, and more identifying details across dozens of columns."
The UpGuard staffer who wrote the article about the discovery, Dan O'Sullivan, is a Chicago resident and registered voter, and he was able to verify the accuracy of the data by looking himself up.
"The rapid closure of this breach by ES&S, and the ready co-operation of the City of Chicago in securing this data, is good news for all registered voters in the city," UpGuard said.
"Once an exposure is found to have happened, it is imperative to move swiftly to foreclose upon the possibility of any exploitation of the data by malicious actors.
"However, for real cyber resilience to take hold, IT enterprises must begin to craft processes capable of checking and validating any such openings before it reaches the public Internet, lest the barn door be closed only after the horse has bolted."