Personal Info For 200 Million U.S. Voters Left Unsecured Online

Image courtesy of The Idealist

A cybersecurity firm says that a database of registered voter information containing personal data on nearly 200 million Americans was left online without proper security by a contractor hired by the Republican National Committee.

This is according to UpGuard, a firm that says it discovered this database on June 12. The 1.1 terabytes of data included the names, mailing addresses, phone numbers, dates of birth, voter registration details, and other data that tries to predict each person’s likely religion and ethnicity, for around 198 million registered voters. That would appear to be every, or close to every, registered voter in the U.S.

The data was stored on a cloud server owned by Deep Root Analytics, a media analytics firm hired by the RNC as part of the 2016 election campaign. The database was last updated in early 2017.

In a statement in response to the UpGuard report, Deep Root contends that the data on the server “was not built for or used by any specific client. It is our proprietary analysis to help inform local television ad buying.”

Okay, but why was it not secure? Deep Root says it didn’t need to be.

“The data that was accessed was, to the best of our knowledge proprietary information as well as voter data that is publicly available and readily provided by state government offices,” explains the company. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”

The company says it it conducting an internal review and believes that the data found by UpGuard was only exposed following a change put in place earlier this month.

“We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked,” says Deep Root.

While the data left exposed on this server was not the sort of highly sensitive bank/credit account information that one normally associates with cybercrime, UpGuard’s Dan O’Sullivan says that the incident nonetheless “raises significant questions about the privacy and security Americans can expect for their most privileged information… That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling.”

Additionally, as we noted in our recent story about a Home Depot website containing personal information for thousands of home installation customers, having the full set of someone’s basic data — name, address, phone number, DOB — is gold for a scammer who knows how to use that information to get things they really want: Resetting passwords, redirecting mail, taking out subscriptions in someone else’s name, or impersonating that person to get a new ID.

“A lot of information or partial information can be traded on the black market and on dark web sites,” Nat Wood of the Federal Trade Commission told Consumerist at the time about imposter scams and “pretexting,” where a scammer convinces his or her target of a pre-existing relationship in order to get access to more valuable information. “Sometimes the scammers have part of your Social Security number, or they know a lot about you. They know where you live and your name and some of your relations. They either know, or can guess, an account that you have, and they sound very legitimate.”