Emerging ThreatsData Breaches

Voter Data Exposes Personal Info to Potential Abuse

Analyst 207||Source: TheRegister
Voter registration document with redacted fields on a plain surface in a public office setting.

Your voter data could be used against you.

That blunt assessment is not hypothetical in a newly published analysis: publicly available voter registration files — even those with some fields redacted — can be linked to other public datasets to reveal identities, expose deployed military families, and supply convenient keys for employers or fraud rings. The finding comes from Noah M. Kenney, founder of consultancy Digital 520, who analyzed two county-level voter files and the Federal Election Commission contribution data to demonstrate how straightforward re‑identification can be.

Noah M. Kenney’s analysis and methods

Kenney describes his work in a research paper titled "Public Voting Records: A Record, or an Attack Surface?" He told The Register he deliberately "picked two different counties that kind of represented opposite ends of the spectrum," comparing Travis County, Texas (where voter files contain fewer data points) and Robeson County, North Carolina (where more fields are public).

Kenney used programmatic linking and standard public APIs to test real-world re‑identification. For one exercise he pulled 500 FEC contribution records for ZIP 78704 (an Austin-core ZIP) from the 2024 cycle via the FEC OpenAPI on May 1, 2026. After de‑duplication to 181 unique contributors, he inner‑joined on (last name, first name, ZIP) — "no fuzzy matching, no nickname normalization, no suffix handling" — and measured match rates against the voter file.

Travis County, Texas and Robeson County, North Carolina voter files

The two counties represent different disclosure regimes and, Kenney writes, different practical risks. The North Carolina file includes phone numbers for the majority of voters; Kenney found that 88.53 percent of voters who have a phone number listed have a number that is unique within the county, making phone-number joins a powerful key for linking external datasets.

Even the more restricted Texas file yielded substantial linkability. Kenney notes that Texas' redaction of date of birth is undermined by the availability of voter registration data: when combined with ZIP and gender, voter registration can uniquely identify 28 percent of voters. He also found the Travis County file exposes 320 deployed military families through published APO/FPO mailing codes.

Key re‑identification results

  • Name and ZIP code uniquely identify 95.81 percent of Texas voters and 87.79 percent of North Carolina voters, per Kenney's findings.
  • From the FEC exercise: of 181 unique FEC contributors in ZIP 78704, 105 (58.01 percent) matched any voter record and 95 (52.49 percent) matched a uniquely identifiable voter. Of the 105 matches, 74.3 percent had a non‑trivial employer field in FEC data.
  • Kenney observed that the 52 percent unique match rate would likely rise to "90–95 percent" if commercial data‑broker tools and matching techniques were used.
  • Voter turnout patterns are themselves identifiers: among Travis County voters who have voted in 20 or more elections, 98.4 percent have a turnout pattern that is unique to them.
  • Separately, recent research cited in the paper highlights that AI tools make the process of identifying people from seemingly anonymous data points even easier.

Recommended mitigations and the Secure Data Act

Kenney argues that redaction of individual fields is a weak defense and favors access controls. His recommended measures include rate limits on bulk file requests, identity verification and requiring state ID to obtain files, maintaining audit logs of requests, and prohibiting commercial resale of voter records.

He also recommends narrower, targeted changes: generalizing voter registration dates to a year instead of a day and excluding armed forces mailing codes (APO/FPO) from published voter rolls. Kenney suggests people should be allowed to opt out of inclusion in public datasets and that general data‑privacy protections would be helpful.

On federal action, the paper notes that House Republicans introduced the Secure Data Act last week as an attempt to create federal privacy rules. Kenney said the bill "is significantly weaker than a lot of state regulations" and added, "The industry consensus is that the likelihood of it passing is extremely low, at least in its current form." He framed that outcome in context: "This represents the third attempt to pass comprehensive data privacy in recent years, most recent being the American Data Privacy and Protection Act, which failed to pass."

What this means for military families, employers, and identity fraud rings

  • Military families: The publication of APO/FPO codes in the Travis County file currently exposes 320 deployed military families, creating operational privacy and safety risks for those households.
  • Employers and background screeners: Kenney shows how primary ballot history, turnout patterns, and FEC employer fields can be joined to infer political affiliation or employment information about job applicants.
  • Identity fraud rings: Voter file indicators such as "mail returned" can be used to find people with disrupted mail delivery, enabling address‑takeover schemes via bogus change‑of‑address requests.

Kenney’s analysis converts an abstract privacy concern into repeatable, measurable linkage operations. His conclusion is stark: without stronger access controls, blanket redaction of fields will not prevent the real-world re‑identification scenarios he demonstrates. Whether counties change long‑standing public‑records practices or federal lawmakers adopt a far more robust privacy rule than the Secure Data Act, the paper leaves a clear prompt — public voter records remain an efficient attack surface unless the mechanics of access and resale are fixed.

Original article

Data ExposureData PrivacyEmerging ThreatsElection SecurityVoter Data SecurityIdentity DisclosurePublic RecordsRe-identificationPersonal Data Protection
Related Intelligence

Continue Reading

Technicians work in a network operations room with rows of server racks and equipment.

Cisco Unified CM flaw exploited in targeted attacks

Hackers are actively exploiting a high-severity flaw in Cisco Unified Communications Manager, allowing them to gain unauthorized access and control over vulnerable systems. This newly discovered vulnerability, tracked as CVE-2026-20230, has a CVSS score of 8.6, indicating a significant threat to security.

Analyst 207
Manufacturing floor with industrial equipment and computer workstations.

Tata Electronics Hit by Cyberattack, Data Leaked

Tata Electronics recently fell victim to a cyberattack, but swift action was taken to contain the breach and minimize disruption, with the company confirming that its operations remained uninterrupted. The incident affected parts of its IT infrastructure, but established response protocols were activated to mitigate the impact.

Analyst 207
Rows of computer servers and networking equipment fill a brightly-lit network operations center, conveying a sense of…

FortiBleed Exposes 110 Million Credentials in Global Firewall Hack

A recent global firewall hack, dubbed FortiBleed, has exposed a staggering 110 million credentials, putting countless individuals and organizations at risk. This massive breach was made possible by a sophisticated five-stage pipeline that allowed hackers to capture sensitive information, including cleartext and hashed credentials, from compromised devices.

Analyst 207
Concerned medical staff in a brightly-lit hospital corridor with a foreground computer terminal.

Xsolis Data Breach Exposes 1.4 Million People's Sensitive Information

A targeted phishing attack on January 20, 2026, led to a massive data breach at Xsolis, exposing sensitive information of 1.4 million people after the company detected unauthorized activity on its network two days later. Xsolis quickly sprang into action, containing the breach and launching a thorough investigation with cybersecurity experts.

Analyst 207