GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server

from the whoops-a-daisy dept

A GOP data firm has accepted responsibility for leaving the personal data of 198 million Americans (aka: most of the country’s voting populace) openly accessible on an Amazon server in the biggest voter data leak in global history. Deep Root Analytics, the owner of the data, has long been contracted by the Republican National Committee to measure voter opinions on a wide variety of issues, from health care to gun control. As part of their contract with the RNC, the group pulls voter information from a wide variety of sources, ranging from Reddit to the Karl Rove super PAC American Crossroads.

This data, which includes religious affiliation and ethnicity, is then utilized to help craft PR efforts and other messaging, as well as to determine turnout and voter preferences. And, according to analysis of the data and previous profiles of the company like this one over at Ad Age, this firm was hugely influential in getting Donald Trump’s “populist” message out to voters during the last election cycle.

But last week, UpGuard cyber risk analyst Chris Vickery discovered that Deep Root had been storing a massive amount of this data on Amazon servers, publicly accessible via the internet, with absolutely no apparent security precautions whatsoever:

The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump?s presidential victory, simply by navigating to a six-character Amazon subdomain: ?dra-dw?.

Vickery frequently hunts for misconfigured data sources on behalf of UpGuard’s Cyber Risk Team, often finding everything from military engineering plans to lists of potential terrorists — simply sitting out in the open. Vickery had recently exposed a top defense contractor for doing something similar, albeit on a notably smaller scale. In this instance, the openly-accessible data included names, addresses, birthdates, phone numbers, troves of stored online user posts, collected over the better part of the last decade:

“Within ?data_trust? are two massive stores of personal information collectively representing up to 198 million potential voters. Consisting primarily of two file repositories, a 256 GB folder for the 2008 presidential election and a 233 GB folder for 2012, each containing fifty-one files – one for every state, as well as the District of Columbia. Each file, formatted as a comma separated value (.csv), lists an internal, 32-character alphanumeric ?RNC ID??such as, for example, 530C2598-6EF4-4A56-9A7X-2FCA466FX2E2?used to uniquely identify every potential voter in the database. These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.”

One segment of the files contained modeled data about each individual voter’s likely positions on 46 different issues. Other portions of the data detail whether voters are registered, and whether they are currently on the federal “Do Not Call” list (you may recall that the RNC is currently supporting a proposal that would let them spam your voicemail inbox without your phone ringing). Collectively, this data was collected and used by a massive number of Republican outfits, including Americans for Prosperity, market research firm TargetPoint, Causeway Solutions, and more.

The security faux pas is considered one of the most monumental ever documented in any country. The 198 million American voters exposed by this screw up dwarves the previous biggest leak — a leak of the voting data of 93.4 million Mexican citizens — as well as the now-third biggest leak of this kind ever — the exposure of the data of 55 million voters in the Philippines. On the plus side, a statement being provided by Deep Root to the media takes ownership of the screw up, without too much of the couching you often see after such breaches:

“We have engaged Stroz Freidberg to conduct a thorough review, and that process is underway. Based upon this review we have determined that the access that was made without our knowledge happened because of a change that was made in the files? asset access protocols. We are in the process of determining how that change was made and take full responsibility for the change, but suffice to say we have updated the settings to prevent further access. We believe the change that was made happened post June 1 2017, which was when we last evaluated and updated our security settings. We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery.”

Still, it’s not exactly a confidence builder to witness the largest leak of voter data in global history as we’re busy trying to ascertain just how secure our clearly dysfunctional voting systems are to malicious outside influence — and debating the slow-but-steady erosion of consumer privacy protections being spearheaded by the GOP.

Filed Under: , , , , , ,
Companies: deep root

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “GOP Data Firm Left The Personal Data Of 198 Million American Voters On Openly-Accessible Amazon Server”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re: free 'government' data

By name voter registration & political donations records are mandated and made public by the GOVERNMENT.

Government makes it easy for political parties & interest groups to find out who is voting and what their political affiliations are. Mandatory Census data also provides detailed demographic data down to the street/block level. Public government real estate records mandate exact name and address of home owners.

GOP & Democrat Party want to know details of who is in the electorate.
It’s not just a GOP thing (and of course Democrat Party would NEVER let its private computer records be compromised)

Baron von Robber says:

Re: Re:

Of course.

“No title of nobility shall be granted by the United States: and no person holding any office of profit or trust under them, shall, without the consent of the Congress, accept of any present, emolument, office, or title, of any kind whatever, from any king, prince, or foreign state.”

AC (profile) says:

Re: Re: Re:

No, but the fact that all this information was gathered from other public databases makes a pretty strong argument for this being essentially public data.

Embarrassing, sure. Stupid, absolutely. But there will be a number of people and news outlets calling for legal or financial penalties (including lawsuits, probably) that just aren’t appropriate.

Richard Hack (profile) says:

Putin did it!

How long before Clapper and his ilk declare Putin did this to steal voter records? 5…4…3…2…

There is as yet ZERO evidence establishing that the Russian government has done ANYTHING with regard to the US election.

The ONLY “evidence” of ANY kind was that provided by CrowdStrike re the DNC leaks – and that was utter crap, thoroughly debunked as proving nothing by a company whose head is an Atlantic Council member with close ties to Ukraine.

Anonymous Coward says:

I have no major problem with businesses trying to get revenue through ads. I do object to personal data being collected, sold on and combined with other datasets.

People don’t understand how powerful large personal datasets are.

It may start as a lists of music you listened to, tv shows you watched, stuff you bought, sites you visited and contact lists, but you can infer all sorts of other things from it, including health, relationship status, religion, voting intentions, sexual orientation etc. Data you can openly buy is enough to build targeted political propaganda bots and worse.

Governments can then combine all of this with everything government bureaucracies collect, from institutions like schools, courts, prisons, hospitals, tax agencies, police etc.

American surveillance capitalism, and the dirty politics associated with it, is unsustainable and toxic. Europe is leading the way here.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...