Hackers targeted California’s motor voter system

April 10, 2019

California’s problem-plagued rollout of its motor voter system included an incident in which it appears foreign hackers targeted the state voter registration data, a security breach officials refrained from disclosing to the public. [LA Times]

On Oct. 10, 2015, former Gov. Jerry Brown signed into law the motor voter system, which requires every citizen receiving a new or updated driver’s license to be registered to vote unless the individual opts out. The program, which cost nearly $15 million, aims to register millions of new voters, and it could shape state elections for years.

The motor voter system launched on April 23, 2018, shortly ahead of the June primary and one week after it was scheduled to go live. Six days before the scheduled launch of the system, state computer security officials noticed the DMV’s computer network was trying to connect to internet servers in Croatia.

In an April 10, 2018 email, a California Department of Technology official suggested that was a sign hackers were targeting the DMV voter registration system.

“This is pretty typical of a compromised device phoning home,” the email stated. “My Latin is a bit rusty, but I think Croatia translates to Hacker Heaven.”

The apparent hacking incident occurred amid a rush to go live with the motor voter system, despite it containing a host of technological glitches, according to numerous state emails reviewed by the LA Times. There were also numerous clashes at the time among state personnel working on the project.

Emails show a decision was made at a May 2017 meeting to move up the project’s launch date from July 2018 to April 2018 and that project staffers believed top state officials were demanding the program be launched before the June 2018 primary in order to boost voter turnout. A project staffer who asked to remain anonymous said not meeting the deadline was not an option.

Additionally, emails show advisors to former Gov. Jerry Brown closely monitored the rollout of the program and that none of the three top state officials involved — Chief Information Officer Amy Tong, Secretary of State Alex Padilla and former DMV Director Jean Shiomoto — had ultimate authority over the project.

The day before the system went live, a senior programmer sounded alarm in an email.

“If we want to avoid an international incident and major security and launch failures on the scale of recent news stories about Facebook, IRS or the Office of Personnel Management — we need state executives to understand the serious nature of the current high-pressure rush to launch,” the senior programmer stated in the email.

Some programmers worked 30 straight hours without sleep during the final days before the rollout, only taking short naps on conference room floors.

Within hours of the system going live, there were frozen or blank DMV computer screens; private information was remaining on touchscreen devices between appointments; and selections related to registering to vote sometimes flipped from what a customer had chosen. Three weeks later, mistaken records appeared at local election offices, with inaccurate documents totaling upward of 100,000 by last fall.

The mistakes that were appearing included incorrect party preferences, adding non-citizens to the voter rolls and certain DMV customers not knowing they had been registered.

An independent audit of the motor voter system rollout is expected to be released soon.

Meanwhile, California Republicans are criticizing state Democrats for rolling out the system before it was ready and are saying the program was rushed because of political decisions.

“It’s clear the program was not ready for primetime, but was rushed into failure because of political decisions made by the Jerry Brown Administration and Secretary of State Alex Padilla,” California Republican Party Chairwoman Jessica Patterson said in a statement. “Considering the program was hacked by a foreign government, registered people who are not eligible to vote, changed voters’ party affiliation and kicked other eligible voters off the rolls, it was clear that Padilla and Brown had little concern for the security of voter data and the potential for abuse.”