198 million American voter records found unprotected on the internet

You’d think if someone had amassed personal information on nearly every registered US voter, and stored that information on an Amazon S3 storage bucket, that it would at least be protected with a password. But thanks to a misconfigured server, personal data of 198 million Americans voters could be downloaded by anyone who happened across it. It is believed to be the largest leak of voter records to have ever occurred anywhere in the world.

That giant oops caused by Deep Root Analytics, a data analytics firm contracted to compile the information for the Republican National Committee, contained names, birthdates, home and mailing addresses, phone numbers, party affiliations, suspected ethnicities and religions, as well as analytics on who people would likely vote for and their stance on hot-button issues such as gun control and abortion.

The exposed and unsecured server was discovered by Chris Vickery, a cyber risk analyst for UpGuard. While scanning the web for publicly accessible servers, he discovered the data on the Deep Root Analytics Amazon subdomain “dra-dw” which stands for Deep Root Analytics Data Warehouse.

It contained personal information on almost every American voter – 198 million of America’s 200 million voters. The exposed server even contained bizarre bits of data. One of Deep Root’s folders is all about Reddit, containing 170 GBs of data scraped from subreddits. Although the server belonged to Deep Root, it also contained data compiled by other data analytic firms on behalf of the Republican Party: Target Point Consulting, Inc. and Data Trust.

UpGuard noted that data compiled by Data Trust, for example, contained “dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.”

All of the data combined for the RNC data repository “would ultimately acquire roughly 9.5 billion data points regarding three out of every five Americans.”

Put another way by UpGuard, you could think of the “1.1 terabytes of entirely unsecured personal information” as being equivalent to about 500 hours of video or 10 billion pages of text; and it could have been downloaded by anyone.

Vickery discovered the unprotected server with exposed databases on June 12. He reported the issue to law enforcement and contacted Deep Root. Deep Root secured the server on June 14, UpGuard said, “shortly after Vickery notified federal authorities.”

Deep Root has taken “full responsibility” for the massive security blunder. Your organization could be a complete control and security freak, doing a great job at securing personal information, but all it takes for a huge mistake is one third-party vendor to have sloppy security.

The data was allegedly exposed for 12 days as a result of Deep Root updating its security settings on June 1. Deep Root has put out the following statement: “We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery.” The company has hired Stroz Friedberg to conduct a cybersecurity investigation.         

Nevertheless, UpGuard said, “That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling.”

Beyond the almost limitless criminal applications of the exposed data for purposes of identity theft, fraud, and resale on the black market, the heft of the data and analytical power of the modeling could be applied to even more ambitious efforts – corporate marketing, spam, advanced political targeting. Any of these potential misuses of private information can be prevented, provided stakeholders obey a few simple precepts in collecting and storing data.

Hopefully, after news of this huge trove of exposed personal information makes the rounds, companies will take the time to double-check servers for potential misconfigurations. Yet UpGuard suggested, “Despite the breadth of this breach, it will doubtlessly be topped in the future.”