California Scheming

Written by:
Date Posted:
21 December 2017

Whoops a daisy.

Voter registration data for more than 19 million residents of California is being held to ransom by attackers. It was found on an unsecured MongoDB instance.

Kromtech researchers found this out and it’s the last of a long string of ransom demands targeted at unsecured MongoDB databases.

Well, that’s cool
This one was called ‘cool_db’ and contained two collections and was available for anyone with an internet connection. Lovely. One looks like it was just for a local district, the other seems like a massive dump of everyone in Cali. 19,264,123 records. All available for anyone to snaffle.

Kromtech weren’t able to work out who owned the database, or conduct any detailed analysis because the whole thing was deleted. They merely left a ransom note saying they could have it back for 0.2 bitcoins.

Not the first rodeo
It’s not Mongo’s first rodeo. In January this year around a quarter of all MongoDB databases left open to the interwebs were targeted with ransomware, and again in September. So this isn’t really a huge surprise. In the September attack, three lots of hackers wiped out roughly 26,000 MongoDB databases. They wanted just $650 in bitcoin to give the data back. No one knows if a) they got paid or b) the data was returned.

No one really knows who owned the database of Cali voters. The fact it was called ‘cool_db’ doesn’t really give any clues, but it seems unlikely an official body would have that as part of their naming convention…

The 4GB file had data structured with these rows:

  • City:
  • Zip:
  • StreetType:
  • LastName:
  • HouseFractionNumber
  • RegistrationMethodCode
  • State: CA
  • Phone4Exchng:
  • MailingState: CA
  • Email:
  • Phone3Area:
  • Phone3NumPart:
  • Status: A
  • Phone4Area:
  • StreetName:
  • FirstName:
  • StreetDirSuffix:
  • RegistrantId:
  • Phone1NumPart:
  • UnitType:
  • Phone2NumPart:
  • VoterStatusReasonCodeDesc: Voter Requested
  • Precinct:
  • PrecinctNumber:
  • PlaceOfBirth:
  • Phone1Exchng:
  • AddressNumberSuffix:
  • ExtractDate: 2017-05-31
  • Language: ENG
  • Dob:
  • Gender:
  • MailingCountry:
  • AssistanceRequestFlag
  • MailingCity:
  • MiddleName:
  • AddressNumber:
  • StreetDirPrefix:
  • RegistrationDate:
  • PartyCode:
  • Phone1Area:
  • Suffix:
  • NonStandardAddress:
  • Phone4NumPart:
  • CountyCode:
  • MailingAdd3:
  • MailingAdd2:
  • MailingAdd1:
  •  UnitNumber:
  • Phone2Exchng:
  • NamePrefix:
  • _id: ObjectId
  • MailingZip5:
  • Phone2Area:

Kromtech Security Centre’s Head of Communications, Bob Diachenko said “This is a massive amount of data and a wake up call for millions of citizens of California who have done nothing more than fulfil the civic duty to vote.”

The wallet in the note can be found here, and you can see the transactions.

The database is no longer online. The Secretary of State for California says they’re “looking into it”. Well, that’s alright then.



No votes yet.
Please wait...

Recommended Videos

Find out why Safestore adopted Hyve as their hosting provider

Case Studies

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.