The FBI Flash Bulletin, first obtained by Yahoo News, reveals hackers used a simple method to break into the voter registration databases – a method that cyber security experts say is easy to prevent.
“They used a method called SQL Injection. SQL Injection is a very popular way of breaching a database. It's actually pretty easy,” said Jamie Winterton, director of strategic research initiatives at Arizona State University’s Global Security Initiative.
Basically, hackers just copied and pasted special commands into input fields on the website, Winterton said. For example, instead of putting a username or driver’s license number into a given field, they put in malicious code that contains sequences like 'OR''='.
“[SQL Injection] can drop all of the contents in the database, so you could see who all of the users in a system were. It will allow you to, if you have the right commands, change things in the database,” she said.
Arizona election officials have previously said that no voter registration information was compromised in the breach; however, hackers were able to copy and steal data for 200,000 voters in Illinois, according to the memo and several reports.
“It’s a really easy thing to protect against, but unfortunately, it’s very prevalent because people don’t think to protect themselves against it,” Winterton said.
One way to defend a database against a SQL Injection hack is to limit what users can type into an input field, she said. Or to put it differently, when a box asks for a driver’s name, to limit responses to letters only.
“Nobody’s name has a semi-colon in it. Nobody’s driver’s license has an equals sign,” she said.
The FBI's memo includes nine recommendations to shore up cyber security on government websites, including, "Only accept expected user input and limit input length. This can be done by implementing a whitelist for input validation, which involves defining exactly what input is authorized."
EDITOR'S NOTE: A previous version of this online report implied that 200,000 Arizona voters had their personal information stolen in a breach. That is inaccurate. The stolen voter information was from the breach in Illinois.
Copyright 2016 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.