James Steidl - Fotolia

Republican contractor exposes personal data of nearly 200 million US voters

A misconfigured database containing the sensitive personal details of more than 198 million US voters was left exposed to the internet by a firm working on behalf of the Republican National Committee

Unprotected US voter data has been discovered by cyber resilience firm UpGuard in a publicly accessible cloud server hosted by Amazon Web Services and owned by Republican data firm Deep Root Analytics.

The data was discovered by UpGuard cyber risk analyst Chris Vickery on 12 June while searching for misconfigured data sources.

The data included 1.1TB of entirely unsecured personal information compiled by Deep Root Analytics and at least two other Republican contractors, TargetPoint Consulting and Data Trust.

The data repository was accessible to anyone with an internet connection simply by navigating to a six-character Amazon subdomain, “dra-dw”, which stands for “Deep Root Analytics Data Warehouse”.

The repository was secured against public access on 14 June after Vickery notified federal authorities. Deep Root said in a statement that the data was exposed on 1 June when the firm updated security settings. If this is true, the data was exposed for two weeks.

The personal information of potentially nearly all of the 200 million registered voters in the US was exposed for an unknown period of time. It also unknown who besides Vickery discovered and accessed the data, which included names, dates of birth, home addresses, phone numbers and voter registration details.

The data also included advanced sentiment analyses used by political groups to predict where individual voters fall on issues such as gun ownership, stem cell research, and the right to abortion, as well as suspected religious affiliation and ethnicity.

The exposed data far exceeds previous breaches of electoral data in Mexico and the Philippines by well over 100 million more affected individuals, exposing the personal information of more than 61% of the US population.

According to UpGuard’s cyber risk team, the exposed data provides insight into the inner workings of the Republican National Committee’s (RNC) $100m data operation for the 2016 presidential election.

Deep Root Analytics, TargetPoint and Data Trust were among the RNC-hired firms working as the core of the Trump campaign’s 2016 election data team that the party relied on to influence potential voters and accurately predict their behaviour.

The RNC data repository would ultimately acquire about 9.5 billion data points regarding three out of every five US citizens, scoring 198 million potential US voters on their likely political preferences using advanced algorithmic modelling across 48 categories.

Read more about supply chain security

As well as the 1.1TB of unsecured data, there was 24TB of data that had been configured to prevent public access.

According to UpGuard, this exposure raises significant questions about the privacy and security US citizens can expect for their most privileged information.

It also comes at a time when the integrity of the US electoral process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to the most important US democratic and governmental institutions, the company said.

UpGuard said it is “troubling” that such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible.

The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations, the company said.

“What is beyond debate in 2017 is the increasing inability to trust in the integrity of information technology systems, particularly at scale,” UpGuard said in a blog post. “As reliance on technology increases, so the cyber risk surface grows; as more and more functions of life migrate onto digital platforms, more and more functions of life invite cyber risk.

“Beyond the almost limitless criminal applications of the exposed data for purposes of identity theft, fraud and resale on the black market, the theft of the data and analytical power of the modelling could be applied to even more ambitious efforts – corporate marketing, spam, advanced political targeting.”

Preventative action

The company said any of these potential misuses of private information can be prevented, as long as stakeholders obey a few simple precepts in collecting and storing data.

Brad Keller, senior director, 3rd party strategy at risk management firm Prevalent, said that although this incident involved voter information, it could just as easily have been a company’s go-to-market strategy for a new product, proprietary intellectual property, or a marketing campaign tied to an unannounced merger or acquisition.

“The point is that even information that may seem benign at first glance can be extremely valuable and create direct economic loss, if not properly protected,” said Keller.

The discovery of the exposed database once again highlights the importance of ensuring the security of third-party suppliers.

The RNC said in a statement that it has stopped further work with Deep Root “pending the conclusion of their investigation into security procedures”, according to CNN.

“While Deep Root has confirmed the information accessed did not contain any proprietary RNC information, the RNC takes the security of voter information very seriously and we require vendors to do the same,” the RNC said.

Read more on Hackers and cybercrime prevention