PHOENIX — State election officials are looking at an additional level of security after fears earlier this year that the voter database had been hacked.
Matt Roberts, spokesman for the secretary of state’s office, said Monday the agency wants to implement “two-factor authentication” before anyone can get access to the list of registered voters. That would involve users providing more than just the sign-in name and password now required.
The move follows what Roberts said was the FBI telling state officials nearly two months ago there was a “credible threat” that the database had been compromised.
He said the state took the database offline and then examined it to see if any malware had been uploaded into it.
“We were unable to find any of that,” Roberts said.
“We didn’t find any evidence that anyone had penetrated the system at all,” he explained. “It was, according to those cybersecurity folks, a localized attack where an election employee had downloaded a virus inadvertently.”
That “localized attack” was the result of a Gila County election official, who was not identified, apparently had some malware that exposed that person’s username and password for the state voter registration database.
All passwords for the state system were subsequently changed.
The problems were disclosed in early July by Capitol Media Services.
On Monday Yahoo News quoted from an FBI “flash” alert released nearly two weeks ago citing prior efforts to hack state election systems.
The Yahoo report mentioned Arizona and said there was a similar attack in Illinois. And it noted the FBI is urging election officials nationwide to be vigilant and take additional security measures.
Roberts said his agency, in an abundance of caution, is now looking at so-called two-factor authentication where it takes something beyond a username and password to log into the system.
“That is something the secretary feels strongly should be implemented and we’re going to talk to our counties to gauge their interest,” he said.
The issue for county election officials, who use the statewide database, is that it will make access more difficult.
In general, it can require something beyond a password, like a person identification number. Other forms can require that the person enter a unique number that the system sends to an email or phone that is accessible only to that person.
There also are more complex forms that include things like fingerprints.
But Roberts said he expects counties to go along, even with the additional steps.
Even if hackers had been able to actually get into the database and alter it, some counties have taken their own steps to protect the records.
Chris Roads, Pima County’s registrar of voters, said his county maintains its own separate database to run its elections. Aside from having its own security features, Roads said it is stored on computers with no internet connection, making cyberattacks much less likely.
“You can only be hacked if you connect to the internet,” he said. “We’ve gone to great lengths to protect the database.”
Roads said Maricopa County also maintains its own voter database but the other 13 counties rely on the state database to run elections.
