Cybersecurity firm UpGuard discovered the vulnerability on Aug. 11 on an Amazon Web Services device where data was left out in the open to be downloaded by anyone with the correct web address. The leak, first reported by Gizmodo, contained the names, addresses, date of birth, partial social security numbers, and state ID info of Chicago residents. The data was not protected by a password.
UpGuard notified state authorities and the FBI earlier this week as soon as it found the breach. The data files were then downloaded by a cyber risk analyst who pinpointed their origin. Federal officials then looped in ES&S, which began an investigation with help from UpGuard. The company assured the breach did not contain ballot information or vote totals, and that it had no impact on the election.
“The company is in the process of reviewing all procedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similar situations from occurring,” ES&S said in a statement. ES&S secured the files and shut down the server on Aug. 12, one day after the leak was discovered.
In a similar leak in June, a data analysis contractor hired by the Republication National Committee left nearly 200 million Republican voters exposed on an Amazon server. UpGuard discovered the 25TB database and helped Deep Root Analytics patch up its system.