Cyber Incident Victim: Online Voter Registration System of the state of Alaska
Date:
Oct 2020
Location:
United States of America
Summary
A data exposure in Alaska's online voter registration system compromised personal information of approximately 113,000 individuals, including names, birth dates, state identification numbers, partial Social Security numbers, addresses, and party affiliations. The breach resulted from a flaw exploited by outside actors, though election results remained unaffected and no evidence of voter fraud or economic theft was identified. Officials attributed the incident to external actors and patched the vulnerability, offering affected individuals credit monitoring, identity theft insurance, and notification services. While the state suggested the data might have been used for propaganda purposes, no specific evidence or details were provided regarding such use. The incident prompted an investigation but did not impact voter tabulation systems or alter election outcomes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 27, 2020, Alaska Lieutenant Governor Kevin Meyer was informed by law enforcement of a data exposure involving the state’s online voter registration system. The breach, discovered through an unidentified law enforcement agency, compromised personal information belonging to approximately 113,000 Alaskans. Outside actors exploited a vulnerability in the five-year-old system, which was separate from the voter tabulation infrastructure and contained records only of individuals who had updated their registration details within the previous five years. Exposed data included names, dates of birth, state identification numbers, the last four digits of Social Security numbers, addresses, and party affiliations—though names, addresses, and party affiliations were already publicly accessible through Alaska’s voter information database. State officials confirmed the breach did not affect election results or voting systems, emphasizing that hand counts and audits verified the accuracy of the 2020 election outcomes. The flaw in the online registration system was patched following the incident, and an external vendor was engaged to assist with the investigation, which remained ongoing as of early December 2020.
Alaska officials delayed public disclosure until December 3, 2020, citing the need to assess the scope and coordinate with law enforcement. Notification letters were mailed to affected individuals, accompanied by offers of free credit monitoring, identity theft protection services, and $25,000 in identity theft insurance. A dedicated phone line was established for inquiries, though technical issues initially disrupted access. State authorities, including Chief Assistant Attorney General Cori Mills, stated no surge in identity theft had been detected post-breach and downplayed its severity relative to typical corporate data breaches. While Division of Elections director Gail Fenumiai suggested the compromised data might have been used for “propaganda,” officials provided no evidence or specifics to substantiate this claim. Meyer acknowledged unrelated voter intimidation emails circulating in October—attributed by federal authorities to Iran and targeting multiple states—but declined to confirm any connection to the registration system breach, citing the active investigation. The state reiterated no evidence indicated voter fraud, manipulation of election results, or targeting of a specific political party through the incident.