Publicly Available U.S. Voter Registration Information for Six States Downloaded by a PRC CNE Actor
A substantially redacted government cyber report states that a PRC cyber network exploitation actor downloaded publicly available voter-registration data for six states from commercial websites in January 2022.
The document identifies itself as a revised copy that adds Oklahoma and clarifies that the voter-registration records were hosted on commercial websites; it instructs recipients to remove the original report.
“This is a revised copy. The State of Oklahoma has been added. In addition, the websites hosting the voter registration records are commercial websites, and that fact has been clarified in the report.”
The report says a PRC CNE actor downloaded historical registration information for Colorado, Connecticut, Florida, Michigan, Oklahoma, and Rhode Island on 14 January 2022. It separately says an Ohio voter-registration application was of interest to the actor but failed to download.
“historical U.S. voter registration information from 2013 to 2021 was downloaded by a PRC CNE actor on 14 January 2022 from U.S. commercial websites”
The report says the exposed personally identifiable information included names, party affiliations, email and physical addresses, and phone numbers, and assesses that it could theoretically support later cyber or election-influence activity. It explicitly states that the actor's actual motivation was unknown.
“could, in theory, be leveraged to carry out anything from future CNE operations to election influence operations”
The report warns election-security organizations that voter data may sit on nongovernment websites and therefore be harvested outside their monitoring.
“APT actors may harvest voter registration information outside the monitoring of election security organizations.”