Chicago Elections Board sued over data breach

For the second time since October, the Chicago Board of Elections finds itself facing charges that it failed to adequately protect the privacy of voters in the city.

State and federal class action lawsuits filed earlier this week allege that the Board was negligent when it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members.

The 11-page state and six-page federal lawsuits ask the court to force the board to recover the disks and erase the data on them. The lawsuits, which seek unspecified monetary damages, also call on the board to notify affected individuals of the breach.

"What we'd like to see is some sort of an endowment, similar to what the [Department of Veterans Affairs] did last year, for people whose credit might have been damaged by this," said Nick Kefalos an attorney with Chicago-based Vernor Moran who filed the lawsuits.

Jim Allen, a spokesman for the Board of Elections, said that about 100 computer disks containing voter information were distributed to aldermen and committee members in late 2003 and early 2004. The information was distributed under an Illinois state law that requires election authorities to make available reports on registered voters to aldermen, election candidates and ward committees, Allen said.

Typically, the data that's made available by the election authority does not include the Social Security numbers of registered voters, Allen said. In this case, disks were created using data that was downloaded directly from the Board's "mainframes" after a 2003 fire at the Cook County Administration Building forced an evacuation of the building for several months.

"They had to do a massive download because they were not going to have access to the mainframes for several months," he said. That data included the Social Security numbers of over 1.3 million voters out of the 2.2 million registered voters in the city, and was "unfortunately included with the basic information" made available.

Allen added that the election board has hand-delivered letters on Monday to ward offices requesting the disks to be returned. He added that so far there is no indication that any of the information has been used for fraudulent purposes.

Since the board moved back to the Cook County building, it has not been including any Social Security numbers with the information sent out, Allen said.

The breach was brought to the Board's attention by Peter Zelchenko, who was running for an alderman's position, last month. Zelchenko is part of a group called the Illinois Ballot Integrity Project, and last October he disclosed a major breach on the Chicago Election board's Web site. That breach not only allowed users to view the Social Security numbers of registered voters but to also actually edit and delete the information.

Since that disclosure, the Board has fixed the problem and removed all but the last four digits of the social security numbers listed on its site, Allen said. It also hired a local firm, Grant Thornton, to help deal with data security and storage issues as well as the control and dissemination of data.

Following the disclosure of the latest breach, Zelchenko, created a Web site designed to help voters determine exactly what information might have been included in the disks that were handed out.

Regarding the latest breach, Zelchenko said it was "far worse" than the problem he disclosed in October. "There is now not one path to the information, but easily hundreds, on hundreds of CD-ROMs distributed over the years," he said.

"Essentially, you can select from among 2.2 million Chicagoans and know their full name, current and past addresses, family members' identities, birthdate, sex, phone number, Social Security numbers, and what years they voted. You couldn't plan a more ideal package for identity theft," he said.

This story, "Chicago Elections Board sued over data breach" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)