FDLE Arrests Estero Man Over Alleged Election Website Hacks
TheFlorida Department of Law Enforcement arrested an Estero man Wednesday who is accused of hacking both the state and Lee County’s elections websites.
David Levin, who turned himself in, faces three counts of unauthorized access of a computer or computer system. Those are felonies.
The 31-year-old Levin runs a cybersecurity company.
Florida Department of Law Enforcement Special Agent Supervisor Larry Long said Levin allegedly hacked the Lee County Elections Office once in December and the state Division of Elections website twice in January.
Long said he cannot give details right now on what Levin accessed in the state website.
“He was able to gain access into the state department of elections website and get into areas that the normal public would not be able to get into,” he said. “He did that using a specialized data breaching software.”
In a statement, the Florida Department of State wrote the Florida Voter Registration System was not accessed and is secure. They wrote they received notice in February that “an individual had attempted to gain unauthorized access to an ancillary website containing archival data.”
The office declined to do an interview.
Long said Levin used that same software to obtain usernames and passwords of Lee County employees and he used those to break into other parts of the local website.
Lee County Supervisor of Elections Sharon Harrington said Levin accessed an old server that was no longer in use. She said the systems are safe.
“Our voter registration system, our tabulation system – where we actually add all those votes back up together – that tabulation system, and our website, they’re all very highly secured systems,” she said. “Especially, our tabulation system that’s kept on a totally separate database and a server. It is not connected to our regular voter registration in any way.”
Both the state and Lee County were contacted by Dan Sinclair about the hacks. Sinclair is running against Harrington as the local supervisor of elections.
Prior to reporting the incidents to the state and county, Sinclair and Levin made a video detailing how Levin accessed the website.
Sinclair, who has experience working in IT, said the two had only recently met before Levin reached out to him and told him he had used the software on the websites. Sinclair said he made the video, which is a paid political advertisement, to protect Levin.
In the video, Levin said he performed what’s called an SQL injection attack.
“You’re using that to trick the system to give you what might not be otherwise accessible to the public,” Levin said in the video.
Sinclair said while Levin may have been bragging in the video to impress his friends, his software didn’t break into the system. Instead, the software found holes that were already there.
“All the software does is test your system for holes, it doesn’t go break into the system," said Sinclair. “It’s not a brute force attack. A brute force attack will keep banging on your system until it breaks in. That’s not what this was.”
He disputes many of the FDLE and Lee County’s claims. Sinclair said he’s angered by Levin’s arrest because he and Levin went to the state and counties and notified them of the holes.
“No one is dealing with the issue, which is the fact that these holes existed," said Sinclair. “This investigation should have been why there was gross negligence both on the county and state level. Why these holes were there, why social security numbers and challenge questions were exposed to the internet,” he said.
FDLE’s Long said Sinclair was interviewed for the investigation and was not part of Levin’s unauthorized access.
Long said the investigation is ongoing and additional charges are possible.