Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server

from the you'd-think-we'd-learn-something dept

Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

When Diachenko contacted the firm, he was told that they were a "small shop" and that "keeping track of everything can be tough." In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:

"In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He confirmed that the company is investigating the scope of the data that was accessible. "All exposed data was publically available information," he said, adding that he will contact affected customers "if required by law."

The problem: what's deemed "publicly available" varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you're a registered voter in the state. And while the data may have been stale, it still wasn't adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.

This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It's a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Uriel-238 (profile), 19 Jul 2018 @ 10:51am

    Uriel's Conclusion (based on many observations)

    It's a great era for hackers.

    reply to this | link to this | view in chronology ]

  • icon
    steell (profile), 19 Jul 2018 @ 10:57am

    Is there anyone

    in the US whose personal data has not been revealed / stolen? Maybe even multiple times?

    reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 19 Jul 2018 @ 11:46am

    This might explain why I am suddenly getting all these scam charity calls all of the sudden. Then there is the "save 30% on your electric bills 30% from random cell numbers

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Jul 2018 @ 12:00pm

    "he was told that they were a "small shop" and that "keeping track of everything can be tough.""

    If there were actual penalties to be paid for fscking around on security, I betcha they could keep track of things.

    Until the cost to the company is greater than the downside they will keep doing things in a shitty fashion. The only people making bank on this are the credit monitoring services (who leak only slightly less than those who buy their service in bulk to stop lawsuits).

    Pretty sure it wouldn't take huge numbers to cause change.
    Say $1000.... $500 to the Government & $500 to the person who had their data leaked (because no settlement is ever enough so why the fsck not).

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jul 2018 @ 12:25pm

    It was the Ruskies.

    reply to this | link to this | view in chronology ]

  • icon
    Mike Shore (profile), 19 Jul 2018 @ 12:26pm

    Where is Amazon?

    Not to minimize the incompetence of these shops, but it seems many of these breaches are of Amazon S3/AWS. I admit I know nothing about how Amazon sets up their cloud offering, but could Amazon help by making their offering more secure by default?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jul 2018 @ 12:52pm

      Re: Where is Amazon?

      I don't know squat about Amazon AWS, but I'm also not going to point at the provider of the building blocks for the idiocy of the people who used them to build something.

      Wouldn't be at all surprised if Amazon does provide some very easily implemented basic-level security options/services that this particular company never took advantage of.

      Don't push blame down the stack.

      reply to this | link to this | view in chronology ]

      • identicon
        Bl00p, 20 Jul 2018 @ 4:04am

        Re: Re: Where is Amazon?

        Perhaps blame should be pushed down the stack, this issue is a serious one, and everyone involved should be looked at. He stated that Amazon was a easy target due to lack thereof of security, it can only help everyone involved to increase said security.

        Don't pretend that no big fishes are to blame in this mess, ignorance ain't no bliss, wake up.

        reply to this | link to this | view in chronology ]

        • icon
          Wolfie0827 (profile), 20 Jul 2018 @ 7:26am

          Re: Re: Re: Where is Amazon?

          This is like: You get robbed because you do not lock your door, then blame the door or lock manufacturer because the door/lock wasn't designed to lock automatically.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jul 2018 @ 1:50pm

    It's almost like some sort of general data protection regulations are needed...

    reply to this | link to this | view in chronology ]

  • identicon
    Amit Sharma, 20 Jul 2018 @ 10:58am

    Where is Amazon?

    don't push blame.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.