INDIANAPOLIS, Ind. -- The election software vendor at the center of a new top-secret report involving Russian hacking in the 2016 election has contracts in Indiana, but as of late Tuesday afternoon election officials were confident no Indiana voter information was compromised.
In the report, intelligence officials outline how days before the election, Russian hackers attempted to trick local election officials into opening a corrupt document. The result could have given the Russian hackers access to potentially sensitive voter information.
The government report doesn’t directly name the company, but it does reference the vendor VR Systems numerous times, and the company has since responded publicly after the leaked NSA report was made public.
Indiana state election officials tell CBS4 six counties – Cass, Floyd, Montgomery, Vanderburgh, Vigo and Wayne – contract with VR Systems to manage their electronic poll books.
According to the report, just days before the election, likely on Oct. 31 or Nov. 1, the hackers posed as an employee of VR Systems, sending corrupt emails to 122 people, likely election officials or others involved in the management of voter registration systems across the country, hoping someone would accidentally take the bait.
According to its website, VR Systems has contracts in eight states – California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia.
Current and former county election officials in all six Indiana counties, with knowledge of work surrounding the 2016 election, all told CBS4 Tuesday they do not believe they received the corrupt email and none of the officials believe the company VR Systems alerted them to any potential problems.
State election officials in the Indiana Secretary of State’s office are also unaware of any issues and were not alerted by county clerks of any federal investigations or alerts from the election vendor, a spokesperson said.
And late Tuesday, Wayne County Clerk Debra Berry said she received confirmation from VR Systems that no Indiana counties were impacted, adding the primary focus was customers in Florida.
For its part, VR Systems issued a prepared statement to CBS4 but would not answer questions specifically addressing Indiana.
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment. We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result. Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company. It is also important to note that none of our products perform the function of ballot marking, or tabulation of marked ballots.”
So what does all of this mean?
It’s important to note, elections official said, the state of Indiana does not contract with VR Systems.
If anyone were to gain access to county E-poll book information, state election officials said that information would include a registered voter’s name, address, date of birth and voting precinct.
The electronic poll books, officials said, are not connected to voting machines or the statewide voter registration system, which includes more confidential information like a voter’s driver’s license number of last for digits of their social security number.
Nationally, the NSA report said "it is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor."
Indiana election officials continue to monitor the developments closely but have no reason to believe any information was compromised.
A federal contractor, 25-year-old Reality Leigh Winner, was arrested and charged Monday with leaking the classified information.