The exposed database includes personal information, as well as political preferences and religious views
The personal information, religious beliefs and political views of close to 200 million US citizens have been accidentally revealed by marketers working on behalf of the Republican National Committee.
The mammoth 1.1TB dataset, which covers more than 60% of the total US population, was owned by Deep Root Analytics, and included not just names, addresses, telephone numbers and dates of birth, but also information about potential political viewpoints, religious leanings and ethnicity.
The database was discovered by UpGuard security researcher Chris Vickery on a public-facing AWS server, with no security, encryption or authentication safeguards in place. Vickery made the discovery on 12 June, but according to a statement given to Gizmodo by Deep Root Analytics’ founder Alex Lundry, the information had only been exposed since 1 June following an update to its security settings.
“We take full responsibility for this situation,” he said. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access”.
“The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide,” wrote UpGuard in a blog post. “The same factors that have resulted in thousands of previous data breaches – forgotten databases, third-party vendor risks, inappropriate permissions – combined with the RNC campaign operation to create a nearly unprecedented data breach.”
Security industry experts have been queuing up to lambast Deep Root for letting such a huge dataset sit unprotected, with many accusing the company of failing to follow basic security protocols.
“The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality,” said Forcepoint CEO Matt Moynahan; “more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees.”
DQM GRC technical director Peter Galdies also cautioned that if this had affected EU voters, the consequences for Deep Root could have been dire under incoming stricter data protection rules for EU citizens. He said: “If this data had belonged to European or UK residents then this would have qualified as a hugely serious breach of the new GDPR law… potentially resulting in very serious consequences to all the organisations found responsible, including the data processors.”
Tim Erlin, Tripwire vice president, noted that this is a reminder of how fundamental data security should be. “Any organisation that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call,” he said. “Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.”
However, in addition to the obvious security concerns raised by the incident, for many experts it has also brought up questions about the level of data-gathering being performed on ordinary citizens without their knowledge.
The data was compiled by three Republican data analysis firms – Deep Root, Target Point Consulting and Data Trust. These consultants were hired by the Republican Party with the apparent goal of building a comprehensive profile of as many voters as possible, which would then be used to micro-target them with political messaging and propaganda specifically tailored to appeal to their individual beliefs.
This isn’t the first time similar mass-monitoring methods have been deployed in the service of a political agenda; a comprehensive investigation by The Guardian revealed that data-mining firm Cambridge Analytica was heavily linked both to various pro-Brexit campaign groups and to several billionaire backers – including UKIP donor Arron Banks and Trump’s chief strategist Steve Bannon. The news prompted the Information Commissioner’s Office to launch an ongoing investigation into the use of personal data in political campaigns.
“The average citizen likely doesn’t appreciate the level at which this kind of data drives the political process,” said Erlin. “This is a treasure trove of personal information that was sitting unprotected on the internet.