The personal details of nearly 200 million voters were left exposed online by data firm Deep Root Analytics, which was working on behalf of the Republican National Committee, according to UpGuard, which reported the exposure on June 19 and characterized it as “the largest known exposure of voter information in history.”
“The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by [Deep Root analytics] and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust,” UpGuard reporter Dan O’Sullivan wrote in a blog post. “In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as ‘modeled’ voter ethnicities and religions.”
According to UpGuard, the data was found by Chris Vickery, a member of their Cyber Risk Team, on June 12 in an unsecured Amazon Web Services S3 bucket.
“As such, anyone with an Internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: ‘dra-dw,’ ” O’Sullivan wrote.
UpGuard found that the files within contained birth dates, home and mailing addresses, phone numbers, registered parties, self-reported racial demographics, voter registration statuses, and statuses on the Federal “Do Not Call” list. The files also contain the 32-character RNC ID’s assigned to each voter, meaning that those accessing the database can easily tie available data back to the real names of voters. Vickery and O’Sullivan looked themselves up in the database to determine the accuracy of the information.
“This reporter was able, after determining his RNC ID, to view his modeled policy preferences and political actions as calculated by TargetPoint,” wrote O’Sullivan. “It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate.”
The files also reportedly revealed the extent of voter analytics being conducted by RNC-hired firms, characterized as a “political treasure trove” of data that predicted voter preferences and behaviors.
“Beyond the almost limitless criminal applications of the exposed data for purposes of identity theft, fraud, and resale on the black market, the heft of the data and analytical power of the modeling could be applied to even more ambitious efforts–corporate marketing, spam, advanced political targeting,” wrote O’Sullivan.
According to UpGuard, the database was secured against public access on the night of June 14, not long after Vickery told Federal authorities of the exposure.
“We take full responsibility for this situation,” Deep Root founder Alex Lundry told Gizmodo, which first reported the story. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”
“That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” wrote O’Sullivan. “The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”