Fake 'Russian Hack' Of Public Michigan Voter Rolls Gets Absurdly Overhyped On The Interwebs
from the good-old-fashioned-freak-out dept
On Tuesday morning a story began making the rounds indicating that Russian hackers had somehow managed to hack into Michigan’s election systems, gaining access to a treasure trove of voter data. Russian newspaper Kommersant was quick to proclaim that nearly every voter in Michigan — and a number of voters in additional states — had had their personal information compromised. The report was quickly parroted by other outlets including the Riga-based online newspaper Meduza, which insisted that the breach was simply massive:
“Russian hackers have leaked the personal data of nearly every voter in Michigan (7.6 million of the state?s 7.8 million voters), as well as the information of another million voters in Arkansas, Connecticut, North Carolina, and Florida, according to the newspaper Kommersant. The data recently appeared on a Darknet forum, posted by a user nicknamed ?Gorka9.? The information was current as of March 2020 and a source at the security firm ?InfoWatch? confirmed to Kommersant that the data is authentic.
For each American voter targeted in the leak, the following information is now available: full name, date of birth, sex, date of registration, home address, zip code, email address, voter ID number, and polling station number.”
The reports also insisted that hackers were then exploiting the U.S. Rewards for Justice Program to get paid for bringing the hack to the attention of the U.S. government. From there, the story quickly ballooned across Twitter, thanks in part to journalists:
The problem? This data was already either widely available, or available via a basic Freedom of Information Act (FOIA) request. Much like the recent hysteria over TikTok (in which many people act as if banning the app prohibits China from accessing U.S. user data that’s available pretty much everywhere thanks to our crap privacy and security standards), people that actually study or report on infosec for a living were then forced to try and do damage control by adding useful context. That context being that the ease in which anybody could obtain this data means it doesn’t actually hold much value:
This sort of data is generally very available and not of much value.
From 2016, when people were hyped about back then: Voter Records Get Hacked a Lot, And You Can Just Buy Them Anyway https://t.co/HQ6ncfUvai
Election security coverage can be really dumbhttps://t.co/E4h6CNFL8d
— Joseph Cox (@josephfcox) September 1, 2020
The disconnect between those that cover infosec for a living, and those who engage in security or privacy tourism on Twitter was a bit jarring:
Michigan's voter records were not hacked. A Michigan voters file was posted on the site "raidforums" by user Gorka9. The file itself, available at https://t.co/og5TRC2mbo, contains only publicly available information from Michigan's qualified voter file. Thread: pic.twitter.com/tGVdxbVjzk
— Jack Cable (@jackhcable) September 1, 2020
The one truly interesting bit, that the U.S. tip line was being exploited to pay hackers for directing them to publicly accessible data, is far more interesting and will require additional reporting. Meanwhile, the Michigan Department of State was forced to issue a statement noting it was never hacked, and urging internet users to exercise a little better judgement in terms of what they choose to hyperventilate over:
All told, just another day on the internet. Granted, our non-transparent and dodgy election security systems in many states still pose a genuine threat to U.S. security. A threat that’s not being fully addressed due to the fact we seem to have idiotically made basic election security a partisan issue. But freaking out over inflated claims of hacks that never happened sure as hell isn’t helping to fix that problem.