Report: Kentucky’s Voter Registration System Vulnerable To Hackers

Nov 2, 2018

Credit Jacob Ryan

Kentucky’s voter registration system is running software that could be exploited by hackers, according to a new report by ProPublica.

But Kentucky’s top elections official, Secretary of State Allison Lundergan Grimes, says the system “has been and is secure.”

The state’s voter registration system includes a file-sharing software called FTP that allows public access to information. ProPublica’s reporting says that the service can act as a gateway for hackers to acquire key details that allow them to exploit a server’s vulnerabilities.

In a statement, Grimes’ spokesman Bradford Queen said the report “highlights a concern every state has with election security,” but said the system’s FTP service is secure.

“ProPublica’s report attempts to paint a negative picture, the State Board of Elections team has worked with its security partners, including the Commonwealth Office of Technology, to further investigate these claims,” Queen wrote.

“According to that team, the FTP service in question in ProPublica’s report has always been firewalled from the voter registration system, so no voter data is at risk. Based on assurances from State Board of Elections staff and its security partners, the State Board of Elections affirms that Kentuckians’ election data has been and is secure.”

ProPublica says it scanned websites run by every state’s election agency for virtual doors that allow external computers to access their servers. Kentucky was one of three states that had an active FTP service operating on their websites and did not require a password.

University of Kentucky Professor Josh Douglas, who specializes in elections law, said if the voter registration system were compromised, voters’ private information could be at risk, but the report doesn’t signal a potential for voter fraud.

“Aspects of Kentucky’s voter registration information are already available to campaigns to purchase,” Douglas said. “So the question is really, does this information that might be out there and hackable contain sensitive information about voters?”

Last month, tech news website ZDNet reported that Kentucky’s registered voter list was for sale on a popular hacking forum along with data from 18 other states.

Grimes said at the time that she was concerned about the alleged hack, but that she had “no reason to believe Kentucky’s voter registration system has been compromised.”

Grimes has advocated for boosting Kentucky election security, including a push for the state to phase out its use of electronic voting machines and replace them with machines that creates a hard copy of every ballot.

The executive director of Kentucky’s State Board of Elections recently accused Grimes of improperly accessing the state’s voter registration system to look up the party affiliation of current and prospective employees.