Votebeat is a nonprofit news organization reporting on voting access and election administration across the U.S. Sign up for Votebeat Arizona’s free newsletter here.
A hacker gained access to the web portal Arizona candidates use to upload information about themselves and changed candidate profile photos that were live on the election results website, just three weeks before the special congressional primary election, Votebeat has learned.
The Secretary of State’s Office realized the system had been breached, shut down the candidate portal the week of June 23, and kept it offline for a week, according to JP Martin, an office spokesperson. Martin said officials flagged the problem upon noticing unusual activity. He said he did not know what kinds of photographs had been improperly posted, or which candidate photos were changed.
The hacker was able to gain access to candidates’ individual profiles, where the information they upload, including candidate filings, is stored. While much of that is public information, the office is still investigating whether any private, personally identifying information was improperly accessed, Martin said.
The candidate portal is separate from the state’s voter registration and petition signature gathering systems. No voter data was accessed, Martin said.
When the office’s cybersecurity team realized that a malicious actor had gained access, Martin said, it contacted the Arizona Department of Homeland Security, the National Guard, and a private cybersecurity firm to help. All three are helping with the investigation, he said.
While the portal was down, candidates had to work with the office to submit their documents and information through workarounds. The portal now directs candidates to update their passwords, “to support ongoing cybersecurity preparedness.”
The office put out a news release about the incident on July 1, two weeks before the July 15 primary for the 7th Congressional District, explaining that the office had “detected and successfully responded to a malicious adversary” that targeted the website. It did not provide additional details publicly, but also briefed a bipartisan group of state lawmakers about the breach.
On Tuesday, Tyler Bowyer, COO of political advocacy group Turning Point Action, criticized Secretary of State Adrian Fontes for not providing the public with more information about what occurred. “Don’t let Fontes bury this and pretend like ‘there is nothing to see here,’” he wrote in a social media post.
Martin said that criticism is false, pointing out that the office met with a bipartisan group of lawmakers to discuss the incident and isn’t trying to hide it.
In recent comments to the Arizona Technology Council, Martin said, Fontes emphasized how large a threat cybercrime is, and how businesses, institutions, and democracy are all at risk. It’s “counterproductive” to demonize organizations that are transparent about attacks when they occur, Martin said.
Jen Fifield is a reporter for Votebeat based in Arizona. Contact Jen at jfifield@votebeat.org.
