In what surely would rank as the biggest data breach of 2015, a misconfigured database exposed the personal information of 191 million registered U.S. voters for more than a week.

Independent security researcher Chris Vickery discovered the 300GB database on Dec. 20 and reported it to DataBreaches.net, which keeps track of online security blunders. The database no longer appeared online as of Dec. 28.

Vickery and DataBreaches worked collectively with Steve Ragan of security news blog Salted Hash to probe the information source; but so far, that remains unknown.

However, on December 29, Jim Gilliam founder and CEO of Los Angeles-based NationBuilder, which provides databases, released a statement: "While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns. From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database."

The unsecured voter list could present issues when it comes to protecting privacy and security. While this particular database did not contain Social Security or driver's license numbers, or any financial information, the records may have held personally identifiable information including voter names, birthdates, email and snail mail addresses, telephone numbers, party affiliations and state voter IDs.

Databreaches.net pointed out voter registration information is readily obtainable from most states and sometimes combined with other data sources by marketing firms and political consultants. The majority of states do not limit use, although some states such as California have restrictions. Databases developed for political campaigns may also contain specific data about voter participation, party line voting, and predictive analytics about like future choices.

"Another example of total disregard for personally identifiable information through configuration negligence," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based cybersecurity company KnowBe4, said. The security expert suggested everyone needs to assume their personal data is in the hands of bad guys and stay alert for social engineering attacks, which will use that data.

"Our society has never had to confront the idea of all these records, all in one place, being available to anyone in the entire world for any purpose instantly," Vickery said on Reddit. "That's a hard pill to swallow."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).