Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server

from the you'd-think-we'd-learn-something dept

Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You’ll recall that it’s a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon’s marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it’s a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security?s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

When Diachenko contacted the firm, he was told that they were a “small shop” and that “keeping track of everything can be tough.” In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:

“In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from “an old bucket from 2013-2016 that hasn’t been used in the past two years.” He confirmed that the company is investigating the scope of the data that was accessible. “All exposed data was publically available information,” he said, adding that he will contact affected customers “if required by law.”

The problem: what’s deemed “publicly available” varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you’re a registered voter in the state. And while the data may have been stale, it still wasn’t adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.

This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It’s a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.

Filed Under: , , , , ,
Companies: kromtech security, robocent

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

“he was told that they were a “small shop” and that “keeping track of everything can be tough.””

If there were actual penalties to be paid for fscking around on security, I betcha they could keep track of things.

Until the cost to the company is greater than the downside they will keep doing things in a shitty fashion. The only people making bank on this are the credit monitoring services (who leak only slightly less than those who buy their service in bulk to stop lawsuits).

Pretty sure it wouldn’t take huge numbers to cause change.
Say $1000…. $500 to the Government & $500 to the person who had their data leaked (because no settlement is ever enough so why the fsck not).

Anonymous Coward says:

Re: Where is Amazon?

I don’t know squat about Amazon AWS, but I’m also not going to point at the provider of the building blocks for the idiocy of the people who used them to build something.

Wouldn’t be at all surprised if Amazon does provide some very easily implemented basic-level security options/services that this particular company never took advantage of.

Don’t push blame down the stack.

Bl00p says:

Re: Re: Where is Amazon?

Perhaps blame should be pushed down the stack, this issue is a serious one, and everyone involved should be looked at. He stated that Amazon was a easy target due to lack thereof of security, it can only help everyone involved to increase said security.

Don’t pretend that no big fishes are to blame in this mess, ignorance ain’t no bliss, wake up.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...