A Virginia data firm working for the Republican National Committee left voting records of 198 million Americans exposed on the internet and accessible to anyone, a California cybersecurity firm said Monday.
The data firm not only left exposed the vast national database but also precise and painstaking projections for most voters of their projected attitudes on a variety of issues including Obamacare, lower taxes, immigration, fossil fuels and environmental consciousness.
The records were exposed to anyone who knew rudimentary search techniques, said UpGuard, a Mountain View, California, cybersecurity firm, but the records have since been secured again.
The enormous national database included names, dates of birth, home addresses, phone numbers, party affiliation, racial demographics and voter registration status, UpGuard said in its internet post.
Following a series of hacks on political parties last fall, and attempts by Russia to access election rolls and machinery at the state and local level, the vulnerability of the U.S. electoral process has become a hot topic on Capitol Hill, including a House intelligence panel hearing this Wednesday on “Russian active measures during the 2016 election campaign.”
UpGuard’s disclosure raises even deeper questions about the responsibilities of political parties and private firms in securing and protecting data that is parsed and dissected through increasingly high-powered analytic tools.
The fact is that if you’re a registered voter, your personal information was exposed here.
Dan O’Sullivan of UpGuard
“The fact is that if you’re a registered voter, your personal information was exposed here. I think that will be troubling to a lot of people,” said Dan O’Sullivan, a cyber resilience analyst at UpGuard.
The RNC-linked firm, Deep Root Analytics, of Arlington, Va., issued a statement saying the information “was accessed without our knowledge.” Controls were since put in place “to prevent further access. We take full responsibility for this situation.”
The company, which said the data was used for targeted television advertising, said network access settings were changed some time after June 1, leaving the data vulnerable but providing only a small window of time for exposure. It added that it believed UpGuard’s researcher, Chris Vickery, was the only person to have downloaded the data. It said it had hired a Washington cybersecurity firm, Stroz Friedberg, to review how the vulnerability happened.
We do not believe that our systems have been hacked.
Deep Root Analytics, a GOP-linked data firm
“Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root Analytics said in the statement.
O’Sullivan said the information was kept by Amazon Web Services, a cloud-based storage provider, and was not password-protected.
“If we can find that, anyone can find that,” O’Sullivan said. “It didn’t take anyone with special engineering.”
The United States has roughly 200 million registered voters, so the data exposed would encompass nearly the entire universe of U.S. voters.
Vickery, who was working as part of UpGuard’s Cyber Risk Team, discovered a data repository on Amazon Web Services June 12 and downloaded it, a total of 1.1 terabytes of data, equivalent to 500 hours of video, the company said.
Vickery, who is noted for finding sensitive information on the internet in the past, guessed a subdomain name – “dra-dw” – which stands for Deep Root Analytics-data warehouse, UpGuard said. Vickery notified federal authorities of the matter June 14, and it was quickly secured.
Working with Deep Root Analytics in compiling the data were two other firms with strong ties to the Republican National Committee, Target Point Consulting Inc. and Data Trust, UpGuard said, and all were involved in President Donald Trump’s 2016 campaign.
In addition to the general database information were files on U.S. voters containing 9.5 billion projections, calculated on a scale of zero to one and with precision to the sixth decimal point, on voting tendencies in past presidential elections and on a series of 46 issues, UpGuard said.
“It’s not just who you voted for. It’s, you know, ‘Do you agree that companies shouldn’t be allowed to ship jobs overseas?’ Do you agree with President Trump’s America First foreign policy? Do you agree we need to move away from fossil fuels?’” O’Sullivan said.
O’Sullivan said employees looking in the database for their own records and projections found them “to be quite accurate” for themselves.
UpGuard does not plan to hang on to the databases.
“We don’t want this on our hands. Essentially, we want to hang onto it only so long as the authorities require it, and then get rid of it, permanently delete the data,” O’Sullivan said.