A data contractor working on behalf of the Republican National Committee earlier this month allowed the personal data of 198 million voters to be exposed online, marking the largest ever leak of voter data in history, according to the cybersecurity firm that discovered the incident.
Deep Root Analytics left 1.1 terabytes of sensitive information — including names, home addresses, dates of birth, phone numbers and voter registration information — on a publicly accessible Amazon Web Server, according to UpGuard.
The data, which was compiled during the 2016 presidential cycle by DRA and two other firms — Target Point Consulting and Data Trust — included modeled ethnicities and religions.
The previous record for a voter data leak was the exposure of 100 million records in Mexico, UpGuard reported.
Deep Root acknowledged that “a number of files” within its storage system had been accessed but claimed that the exposed database had not been built for any specific client. Rather, it was the firm’s “proprietary analysis” meant for television advertising purposes.
The information accessed consisted of voter data that already was publicly available and readily provided by state government offices, Deep Root maintained.
Nevertheless, it took steps to prevent further access and took “full responsibility” for the breach.
Deep Root Analytics uses standard industry protocols and last updated its security settings on June 1, it said. However, access was gained through a change in access settings on that same date.
Although the company does not believe it was hacked, it has hired an outside cybersecurity firm, Stroz Friedberg, to conduct a thorough investigation.
The only person known to have access to the data was Chris Vickery, the Upguard researcher who discovered the problem, said Bill Daddi, a spokesperson for Deep Root.
That being the case, it’s unclear that the incident can be characterized as a data “exposure” issue, he told the E-Commerce Times.
Deep Root Analytics was founded in 2013 by Alex Lundry, a data researcher who worked on Mitt Romney’s 2012 presidential campaign, according to Upguard.
The firm uses proprietary big data analytics technology to target campaigns toward specific voters. It has provided services for numerous major political campaigns, including Chris Christie’s 2013 re-election campaign for New Jersey governor, the Greg Abbott’s 2014 campaign for Texas governor, and Donald Trump’s 2016 campaign for U.S. president.
Deep Root informs local ad buys, but it does not engage in digital marketing or targeted outreach, according to Daddi.
Based on information made available about the leak, it appears that Amazon Web Services is not responsible for the incident, said Mark Nunnikhoven, vice president for cloud research at Trend Micro.
“From the little technical detail that is available, it appears as if the company managing the data left it exposed to the public,” he told the E-Commerce Times. “This is not the default setting for the service they used. Making data publicly available is a feature of this service, but one that requires explicit configuration.”
Vickery, a cyber risk analyst at Upguard, regularly searches for misconfigured, publicly exposed databases as part of his job, said Kelly Rethmeyer, a spokesperson for the company.
“Unfortunately, the specter of misconfigured cloud-based storage servers spilling data into the open Internet continues to be an all too-common phenomenon, as evidenced by Chris’ discovery of an RNC data firm’s publicly accessible database exposing the details of 198 million potential voters,” she told the E-Commerce Times.
“While the scale may be unprecedented, the core issues driving the exposure are pervasive around the Internet,” noted Sam Elliott, director of security product management at Bomgar.
“This significantly increases the risk of that information being leaked,” he told the E-Commerce Times, “or a breach occurring due to a contractor being compromised, as was the case in the infamous OPM breach.”
Organizations falsely assume that outside contractors operate under the same security standards as the hiring entity, Elliott told the E-Commerce Times.
They should set policies in advance, with the backup of full enforcement, he recommended, because “organizations in the public and private sectors alike are increasingly working with external vendors who either have access to or store sensitive data.”