Voter registration databases are maintained by election officials and determine if a voter is registered, where they are assigned to vote, and often what ballot they should receive. There is no evidence that the systems states use for these databases were corrupted in any prior election, including in 2020, and states have only strengthened security and their processes to ensure the accuracy of voter rolls since.
Despite that, the Trump administration and its supporters continue to try to relitigate the 2020 presidential election results, most recently by misconstruing declassified intelligence reports about database vulnerabilities. This fits in with ongoing efforts to justify future election interference and lay the groundwork for reusing the debunked fraud claims in 2026 and 2028.
The formal voter registration database systems are the only databases that matter when administering elections. While some voter information from the voter registration database is publicly available in accordance with state law, nonpublic information, such as Social Security numbers, is largely protected from exposure.
Campaigns and political organizations enrich this public data for canvassing and outreach, and data brokers also compile their own voter information from a variety of sources. While these unofficial holdings of voter data can be a rich target for cyber actors who seek to sow chaos, run influence operations, or undermine confidence in elections, they are separate from the official voter registration database.
Voter registration databases are computer systems, and like other computer systems, they have vulnerabilities. But election officials and their security counterparts at the state and local level have made substantial progress to protect these systems and detect incidents. The Bipartisan Policy Center estimates that states have spent more than $343 million on voting machines and cybersecurity to help secure these systems since August 2024.
The Center for Election Innovation and Research surveyed states about their cybersecurity and physical security practices and consistently found that they are implementing strong security practices for voter registration databases. The survey results note that all states have dedicated IT security teams, use multi-factor authentication for user validation and restricted user access, and regularly conduct system audits to identify security vulnerabilities. Multi-factor authentication makes it difficult for unauthorized users to access these systems through phishing campaigns. Audits and restricted user access establish controls that alert the dedicated IT personnel of attempted changes to voter information.
In addition, all states regularly back up their voter registration databases to preserve an official copy as a backup, and most store this copy offline with encryption for additional protection. These steps make it difficult for an unauthorized user to access and alter the backup through the internet. The Center for Election Innovation and Research also found that some states use one or more monitoring systems and record failed logons to track unsanctioned access attempts to guard against potential insider threats or hacking attempts. To mitigate distributed denial of service (DDoS) attacks that would render a website or system inaccessible, states use content delivery networks or other DDoS mitigation tools. Importantly, voter registration databases are separate from vote casting and tabulation systems, so attempted intrusions of voter registration databases would not impact vote-tallying results.
The election process itself acts as an additional security and verification measure by revealing any pre-Election Day attempted cyber intrusions on voter registration databases. For example, mail ballot requests and early voting serve as tests of the integrity of voter registration databases’ data. Election officials and their counterparts in IT and security are generally able to identify evidence of corruption, manipulation, and impacts on voter data integrity in these early-stage processes and have time to take any required remediation steps.
In addition, should there be evidence of actual harm to the election systems, states have procedures separate from cyber and infrastructure security measures that afford voters the opportunity to cast ballots while they validate voter eligibility. If a voter registration database is affected by an attempted intrusion or attack, the provisional ballot system, as well as flags by VoteShield, a public database that monitors for potential abnormalities in voter data and absentee ballot requests, will help states mitigate the effects on voters. States also have numerous processes in place to check the accuracy of voter rolls, including conducting cross-checks with other state and federal resources to confirm deaths, address changes, and registration status.
