The Illinois’ Voter Registration System, IVRS, is still down after officials discovered a security breach on July 12.
The system was shut down the day after the breach was discovered, according to Kyle Thomas, the state board of elections’ director of voting and registration systems.
“Once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration,” Thomas wrote in a memo to the election authority that was posted to McLean County Clerk Kathy Michael’s Facebook page.
A look-up field on IVRS that allowed voters to find out if they were already registered to vote, and at which address, could have allowed hackers access to the system, Ken Menzel, general counsel for the State Board of Elections, told StateScoop.
“One of the fields in that self lookup had a badly set parameter that allowed the attack through,” Menzel said.
The attack was traced back to servers in the Netherlands, Menzel said, causing officials to assume the hacking came from a foreign source.
The attack did not change any information in the IVRS, but the hackers did use structured query language, or SQL, database queries in an attempt to obtain voter signature images and history. SQL queries are commonly used in managing data held in a database system.
“One of the things with the Internet is, anyone can be operating from anywhere, so we can’t say that that’s where they were located but it helped us suspect at least that there was foreign involvement somewhere,” Menzel said.
SQL injection is a relatively basic attack, Georgia Weidman, founder of cybersecurity research firm Bulb Security told StateScoop in an email. Testing for it should be standard for all applications, which should help avoid future incidents, she said. External auditing and penetration tests could also help, especially since these breaches could lead to voter fraud.
“The vulnerability should have been caught by the application developers,” Weidman wrote. “But if not, would have been caught by an external penetration test, which best practice calls for annually.”
The vital records system that stores voter record information is also shut down until the problem is corrected.
“We’re still figuring out exactly what they got, but you presume they were looking for as much information on as many people as they could get,” Menzel said. “That’s the kind of thing hackers are constantly trying to get into all the state voter databases for.”
Menzel expects it will take another 10 days to two weeks to find the extent of the breach and correct it. He did not provide a timeline for when IVRS would go back online.
“People are always trying to get in, it’s a constant thing,” Menzel said.
Editor’s Note: This story was updated on July 26, 2016, to reflect a comment from Georgia Weidman, founder of cybersecurity research firm Bulb Security.