Voter security glitch fixed

October 24, 2006

By John McCormick, Tribune staff reporter,1,3303012.story?coll=chi-techtopheds-hed&ctrack=1&cset=true

Chicago election officials said Monday they were forced to patch a security flaw on their Web site after a candidate found a programming error that had made private voter information vulnerable to theft for at least five years.

Officials said the glitch never threatened the integrity of election records. But they now have to determine whether anyone exploited the opportunity to steal the Social Security and birth date information from more than 780,000 registered voters in the city.

"We don't have any evidence that there was any theft," said Tom Leach, a spokesman for the Chicago Board of Election Commissioners. "But we don't want to be in a position where someone had their Social Security and date of birth stolen."

Officials acknowledged that for the last five or six years it would have only taken a few keystrokes for a knowledgeable computer user to obtain the personal information for more than half of the 1.3 million identities in the system.

Leach said that the error was fixed late Friday and that the Cook County state's attorney has been informed of the situation and the potential for identity theft. He said the board plans to hire a computer forensics expert to determine if personal information was stolen.

Leach said the private information was on the Web site because when it was first created in the mid-1990s, users were allowed to search for their registration by Social Security number. That option was dropped in 2000 or 2001, he said, adding that since 2003 officials have stopped collecting full Social Security numbers from new voters.

Until the bug was fixed, the private information could be viewed by using a feature in a Web browser that allows the user to see the raw data that underlie the page.

Leach said board chairman Langdon Neal also has ordered employees to delete all but the last four digits of Social Security numbers in all electronic files.

City officials said they were alerted to the problem by 43rd Ward alderman candidate and community activist Peter Zelchenko.

Zelchenko said he first presented information about the problem to election officials in August, but he declined to further discuss the matter.

Leach said Zelchenko initially did not offer any specifics but simply alluded to a general security problem with the Web site. "On Friday, he finally called and we asked him to come in," Leach said. "He was not blown off, if that is what he is implying."

Leach said officials fixed the glitch within hours of seeing Zelchenko demonstrate the problem.

The Illinois Ballot Integrity Project, which said Zelchenko is one of its members, publicized the incident in a news release Monday.

"This is only the online database, not the real database," said Bob Wilson, the group's Cook County chairman. "But they didn't flush out sensitive information that didn't need to be on the Web site."

Kelley Quinn, a spokeswoman for Cook County Clerk David Orr, said the online database for suburban Cook County voters has only the last four digits of Social Security numbers and that the office is not aware of any similar security breaches.

"Our voter registration management system is a database that sits behind the county firewall. It is password-protected just like the sheriff, Circuit Court and county tax records," said Clem Balanoff, director of elections for Cook County. "We're comfortable that this provides the necessary security to protect our data."

main page ATTRITION feedback