David Bloys - News For Public Officials
October 25, 2006
Registering to vote in Illinois could cost you your identity.
A civic organization in Illinois recently showed officials how they found sensitive personal information including everything identity thieves and election fraudsters would need on the Chicago Board of Elections' Website.
For at least the last six years, the Election Board's website has exposed the Social Security numbers and birth dates of more than 1 million registered voters to anyone with a computer.
The Illinois Ballot Integrity Project is a not-for-profit, non-partisan civic organization dedicated to informing and educating the public, media and government officials about important election-integrity issues
Representatives with the civic group say that someone conceivably could log into the Board's Website and make changes, perhaps changing voters' status to inactive or changing their polling places.
Board of Elections officials say they have no reason to believe this has happened or anyone has messed with the system thus far.
It would be difficult to determine how many people have seen the sensitive information or may use it for criminal purposes in the future.
The Elections website gets hundreds of thousands of visitors during election season. Visitors from anywhere in the world can check registration status, or find a polling place. According to the Illinois Ballot Integrity Project, they could also get personal information on registered voters, including date of birth and Social Security numbers.
Project members were looking at voter registration information on the site when they discovered the problem.
The board of elections thought they had closed access to this information but it was still on their database. They had no idea Internet users could still access it. The board met with the Ballot Project people last week to fix the problem.
"Our computer people figured out right away what the problem was. Those connections were severed, and they agree that you can no longer hack in," Tom Leach, Chicago Board of Elections, told reporters with WLS ABC-7. The biggest threat to the system they say would be identity theft. They believe the election process is not affected.
The board says it is taking a number of steps to make sure no one has used the information for identity theft purposes. They are bringing in an outside computer expert to check for any signs of hackers but the site wasn't hacked. It was simply accessed in the form the board provided.
According to Bob Wilson, of the Ballot Initiative Project, hacking skills were not necessary to view the sensitive information. "We kind of accidentally started digging a little deeper and seeing if we could get personal information of voters. At that time, alarm bells went off,"
Leach says the board is eliminating the database of full Social Security numbers. They will go by the last four numbers only.
In affect, the board plans on redacting the numbers that identity thieves don't need while leaving the critical last four digits intact. Banks and credit card companies use the last four digits to identify customers who call in to change their accounts. Additionally, the board will not be able to remove any sensitive information from computers that have already accessed the site.
"What we don't want is voters to think is, because of this problem, they're going to encounter problems in the November 7th election," Leach said.
He's probably right. Chicago voters will only have problems with their identities for the rest of their lives not their votes. Now that the Board of Elections has published their private information, anyone who downloaded the information can assume their identity, wipe out their credit, commit crimes, create tax liabilities, even have surgery or access the welfare system in their name.
Holding the Facilitators Accountable
Only one in 700 identity thieves are caught and few victims ever know the true identity of the criminals. Holding those who facilitate identity theft accountable is the quickest path to protecting American citizens.
The Chicago Elections Board provided the information for one of the largest data breaches since the ChoicePoint debacle that exposed 163,000 people to a Nigerian criminal cartel.
The Federal Trade Commission held ChoicePoint accountable and the company settled with the FTC for $10 million in civil penalties and $5 million for consumer redress.
Hundreds of cases have been filed that seek to hold facilitators of identity theft accountable for data breaches. Last year, Florida's 11th Circuit Court of Appeals held that individuals suing under federal privacy laws qualify to receive monetary damages even if they did not suffer financial harm.
The court ruled, ""Damages for a violation of an individual's privacy are a quintessential example of damages that are uncertain and possibly unmeasurable. Since liquidated damages are an appropriate substitute for the potentially uncertain and unmeasurable actual damages of a privacy violation, it follows that proof of actual damages is not necessary for an award of liquidated damages".
No matter how careful you think you are when it comes to who gets access to your personal information, increasingly, criminals are finding all the information they need about you on state and local government Websites. Top attorneys are investigating these cases nationwide.
Victims of data breaches should hold the facilitators accountable by filing a complaint with lawyers who take these cases seriously. The service is free and confidential.