Thursday, June 1, 2023 | Back issues
Courthouse News Service Courthouse News Service

Candidate Raising Funds |for Fla. Elections Hacker

(CN) — David Levin claims he was only trying to show Florida officials that their computer servers were vulnerable to being hacked.

Instead, the 31-year-old cyber security company owner was arrested and charged for accessing Lee County and state election computer systems without authorization.

Levin was released last week on a $15,000 bond, and now Dan Sinclair — a candidate for Lee County Supervisor of Elections who created a video with Levin to demonstrate the vulnerabilities of the elections servers — is raising money for Levin's legal defense.

"Levin is a whistleblower who has been setup on bogus charges by a vengeful corrupt official, embarrassed by the flaws he found in her and other related systems," reads a GoFundMe campaign site that Sinclair created.

Although Levin isn't speaking to press, Sinclair is.

The whole thing started with a refresher course that Levin took with the Department of Defense, Sinclair said. Using tools he learned in the course, Levin began testing public servers and systems on the web, and he started with his local supervisor of elections servers.

"Dave was expecting the servers to be completely protected," Sinclair said. "Instead, he was shocked to find massive holes in the servers with user IDs and passwords for all staff."

Levin also tested Florida's Division of Elections system, and again, according to Sinclair, he found "massive holes."

"The state had the User IDs and passwords for all 67 supervisors of elections for the state of Florida exposed to the Internet in plain text," Sinclair said. Additionally, Levin was able to find people's social security numbers and the answers to their privacy questions, Sinclair said.

When the Lee County Supervisor of Elections Sharon Harrington — whom Sinclair is challenging for her seat in the upcoming election — got wind of it, she reported Levin's breach to the county sheriff's office, who then reported to the Florida Division of Law Enforcement (FDLE), Sinclair says. Then FDLE officers interviewed Levin. The arrest warrant details how Levin created reports of what he did for them, and explained in detail how he had hacked the system.

Essentially, he used SQL (Structured Query Language) as an injection technique that impelled the vulnerable systems to cough up usernames, passwords and other information.

IT staffers for the Lee County elections website also asked Levin to explain what he had done, Sinclair said. As thanks for Levin's efforts in exposing the flaws, Sinclair said, the FDLE finally used the information Levin provided, along with the video of the hack that Levin created and posted on YouTube, and an interview he did with a Fort Myers news station, to build a case against him.

Officials from Lee County — and court documents — tell a different story.

According to a document prosecutors filed last week, Levin stole Harrington's password when he logged in to the elections website, and he also allegedly gained unauthorized access to the database of Florida's Office of Elections.

Although he claimed to be exposing security breaches as a whistleblower, Lee County officials told the FDLE that Levin had hacked into an old system that was no longer in use. They claimed all sensitive data had been moved elsewhere, and that Levin's information had no value.

"The attack exploited a security hole in the content management system of that web server that allowed Mr. Levin to gain access to old user names and passwords," officials wrote in a statement.

They also said that the county was already transitioning the data from the attacked system to a new, more secure system.

"Mr. Levin was not able to access any information regarding voter records, current election data, or voter tabulation data as this information is not stored on the web server that he penetrated," the statement read. "In other words, Mr. Levin would not have been able to modify the results of any elections or access any individual voter data."

So really, the only thing Levin's hack revealed was that he was a criminal, prosecutors said. "Probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony," they wrote.

So far, Sinclair has raised $750 for Levin's defense.

Sinclair will challenge Harrington for her seat in the Aug. 30 election. "In light of the on-going legal proceedings regarding the security attack on the old Lee Supervisor of Elections web server ... there will be no further comments from this office at this time," said Vicki Collins, a public relations officer for Lee County.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.