Illinois voter data hacked....Dear Election Authority,
We will begin the process of bringing IVRS and the Paperless Online Voter Application (POVA) system back online tomorrow (Thursday, July 21st). Below is an explanation of why the systems have been unavailable for the past week.
The State Board of Elections (SBE) fell victim to a cyberattack that was detected on July 12, 2016. Specifically, the target was the IVRS database. Once discovered, State Board of Elections closed the point of entry. On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration.
SBE’s Information Technology and Voting and Registration Systems staff immediately began researching the extent of the infiltration. Thus far, we have determined the following:
· The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application.
· The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.
· We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful.
· They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. (Because of the complex methods used to access the data, this may take 10-15 days.)
· In an effort to prevent an attack such as this from happening in the future, we have made a number of security enhancements to the IVRS and POVA systems.
· Once the system is brought back online, all IVRS user passwords will need to be changed at the first login (or by your vendor for system specific accounts). The new password must be a minimum of eight characters in length, one of which must be a non-alphanumeric character ($, *, # etc.).
Pursuant to the Personal Information Protection Act (815 ILCS530/), the Illinois General Assembly and the Office of the Attorney General have been notified of the incursion. Furthermore, once we have determined the number of voter records and the individuals whose information was collected, we are prepared to take the proper steps required to notify those persons.
A separate notification will be sent indicating when you and your staff may access IVRS. Thank you for your patience regarding this matter.
Kyle Thomas
Illinois State Board of Elections
Director-Voting and Registration Systems
Office(217) 782-1590
Fax-(217)782-5959