Data security firm UpGuard is bringing our attention to a very severe data exposure today. This “leak” of sorts left the personal data of nearly every registered voter in the US exposed, making this the “largest known data exposure of its kind,” according to UpGuard’s Cyber Risk team. In all, the data for 198 million registered voters in the US was left exposed, which is a ridiculous number of people when you consider that it’s 61% of the country’s population.
The good news is that this data was found by UpGuard’s Chris Vickery and not someone with a more malicious intention. Upon discovering the repository, which was hosted on Amazon Web Services without any form of protection, Vickery alerted Deep Root Analytics, the owner of that data. Before going public with this exposure, Deep Root Analytics had time to secure their data and Vickery was able to alert the federal authorities.
What all was exposed in this debacle? Vickery was able to find 1.1TB of publicly accessible data, containing information on voters that included first and last names, dates of birth, home and mailing addresses, phone numbers, and in the cases where voters had self-identified, racial demographics as well. Beyond all of that, it included modeled data on voters’ ethnicity and religion.
Deep Root had all of this data because it was helping the Republican Nation Committee better target its 2016 campaign for the US Presidency. Deep Root was founded in 2011, shortly before the 2012 Presidential election, and indeed, many of these profiles were build on informations from the elections in 2008 and 2012. Vickery also found a folder with data relevant to the 2016 election, but it only included files for Florida and Ohio, two battleground states that candidates generally need to win if they’re to become the President-Elect.
Deep Root wasn’t the only company contributing information to this “data warehouse.” Data from two other companies – TargetPoint Consulting and Data Trust – was also compiled in this library, so the profiles the RNC had on voters were certainly extensive. Of course, that the RNC and DNC would be trying to create in-depth profiles on voters and the larger demographics they belong to shouldn’t be much of a surprise, but we should also expect them to keep that data under lock and key.
That isn’t what happened here, as anyone with the link could see this information stored on Amazon’s cloud servers without needing to enter any form of credentials first. The hope here is that no one who could be considered unsavory accessed this data before Vickery brought attention to this oversight, but obviously it would have been preferable to not have to worry about such an intrusion in the first place.
At the end, UpGuard says, this raises “significant questions” about data security in regards to American voters. The fact that this data exposure comes at a time when nation-states like Russia are trying to eavesdrop on the US electoral system makes it even more worrying. UpGuard stresses that something needs to change about the way these companies store their data, otherwise a breach will happen and we won’t have the good fortune of data security experts stumbling upon it before any harm can be done:
“Despite the breadth of this breach, it will doubtlessly be topped in the future — to a likely far more damaging effect — if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems,” UpGuard writes in its report.
To read UpGuard’s report in full – which is something you should absolutely do – check out the source link below. Otherwise, head down to the comments section and share your take on this whole mess.