New Hanover County: voting machine admin password, config info leaked to public

nh sealA protest of the results in a county commissioner race in this southeastern county has blossomed into a full-blown PR fiasco for the local and state elections boards. A significant number of absentee ballots were found on one of the county’s computer network servers accessible to the public.  There are questions as to whether those votes were counted.  Almost as troubling, if not more so, the personal info of the absentee voters (driver license number, birthdate, last-four of SS#, home address) was all openly available on that server to anyone who bothered to look.

A concerned citizen in New Hanover County has forwarded to us some emails, generated by county employees, from that same public server that are also quite troubling.  The emails contained: (1) the administrative credentials for logging-in to and configuring voting machines, and (2) the step-by-step procedure for clearing votes out of machines. (The emails containing that information were dated prior to election day.)

The citizen in question, Chris Anderson, has contacted the state board of elections and state Senate president pro tem Phil Berger about the discovery.  Josh Lawson, spokesman for the state board, confirmed in writing to Anderson that the info contained in the emails he discovered does not fall into the category of “public information.”

We contacted Lawson electronically to get his take on the matter: sbo

New Hanover County makes certain email correspondence available by default. Weeks ago, this allowed others to improperly access data.They later discontinued that process.

Anderson’s email included credentials to access certain election systems. Those credentials are not active.

Additional security protocols are in place beyond mere username/password access.

At no time could anyone log into the state’s system using only the password and username Mr. Anderson has chosen to disclose publicly.

Email correspondence between some New Hanover County employees appears to contradict Lawson on how significant the administrative credentials are.

 Lawson did not elaborate on whether the credentials were invalidated BEFORE or AFTER their public disclosure.  A standard practice in IT security involves not transmitting administrative passwords via email.  We asked Lawson if that is the practice within the elections office. Said Lawson:

I would have to refer any questions about New Hanover’s public email terminal practices to the county’s IT or counsel.[…] Our protocols incorporate additional credentialing measures so that a username and password are never sufficient to access state systems.[…] dunno

We asked Lawson if the state board would be looking into the disclosures or considering sanctions against New Hanover county employees for the leak:

No sanctions have been issued at present. […]

If Mr. Anderson believed the username and password would grant access to the state’s system, it is unfortunate that he sought to more widely advertise them.