Personal data and profiling information about millions of American voters has been exposed in what is believed to be the largest ever leak of its kind.
198 million records were found stored on an unsecured Amazon S3 server owned by Deep Root Analytics, a Republican data analytics firm. It is thought that the data, which dates back more than a decade, includes information about every registered American voter.
The open server was discovered by UpGuard Cyber Risk Analyst Chris Vickery, but disclosure of the availability of the data was delayed until the server had been made secure. The amount of information exposed by the incident is tremendous and it gives a fascinating insight into the targeting of voters in the run-up to the election. UpGuard's Dan O'Sullivan explains:
In what is the largest known data exposure of its kind, UpGuard's Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as "modelled" voter ethnicities and religions.
With multiple stores of data using 32-character alphanumeric "RNC ID", it is not only possible to uniquely identify people referred to in the database, but to pull together vast troves of information about them. The information was originally intended to be used by political candidates to target potential voters and tailor their campaigns appropriately.
At the moment it is not clear who, if anyone, other than UpGuard gained access to the data, but considering all that was needed was to visit a very simple URL, the chances are high that information could have fallen into the wrong hands. ZDNet reports that Deep Root Analystic's co-founder, Alex Lundry, confirmed ownership of the server and said his company took "full responsibility for this situation."