Metro East Sun

Michael Butler, Chairman of St. Clair County Republicans, has raised concerns over a significant data breach that exposed millions of Illinois residents to potential identity theft. He emphasized the urgent need for counties to enhance security measures and protect sensitive personal information to maintain public trust. Butler shared his statement with Metro East Sun on September 27.

"The Illinois voter data breach left millions exposed to potential identity theft, revealing just how vulnerable our personal information can be," said Butler. "Counties must step up their game and secure sensitive data, or risk undermining public trust in the democratic process. Stronger security measures aren't just nice to have—they're vital for protecting our privacy and keeping democracy safe. It's time to secure these systems and stop leaving citizens vulnerable."

According to Capitol News Illinois, 4.6 million records of Illinois residents were exposed on the internet. These records included voting records, registrations, and death certificates stored on an unsecured cloud platform. The data comprised Social Security numbers, birthdates, addresses, and voter history. Security researcher Jeremiah Fowler discovered the vulnerability in July and described it as one of the most sensitive voter data exposures he had encountered. Fowler contacted several county clerks and a technology vendor serving the affected counties. The breach impacted records in 15 Illinois counties, including Champaign, Sangamon, and Winnebago.

Cybernews reported that nearly 470,000 sensitive voter documents from the St. Clair County Clerk's office were leaked on an unsecured Amazon S3 bucket. Discovered by the Cybernews research team in March 2024, this instance had been publicly accessible for months. The URL containing "voter documents" suggested its purpose, and the data leak likely resulted from a misconfiguration. The exposed documents contained sensitive voter information, raising concerns about data security. After researchers contacted the clerk's office, the issue was addressed and secured to prevent further exposure.

Fowler reported his findings on VPN Mentor: "I recently discovered a non-password-protected database that contained a collection of different documents including voting records, ballot templates, voter registrations, and numerous lists. All of the physical addresses appeared to be from a single county in the state of Illinois…. I suspected there could be more counties inadvertently exposing voter and election records." He continued by explaining his method: "So, I took the known database name format and simply replaced the county name." This approach identified "a total of 13 open and publicly accessible databases and an additional 15 databases that exist but are not publicly accessible."