A Christian conservative organization is believed to be responsible for exposing the details of millions of U.S. citizens by failing to ensure that its databases could not be accessed by unauthorized individuals.
Security researcher Chris Vickery has been spending most of his free time scanning the Web for improperly configured databases. The expert has identified dozens of databases exposing the personal details of millions of people.
Millions of voter records exposed
In late December, Vickery reported finding a MongoDB database containing the records of 191 million U.S. voters, includes their names, gender data, home addresses, mailing addresses, phone numbers, dates of birth, party affiliations, and other details dating back to 2000.
However, tracking down the owner of the database proved a difficult task. The main suspect was initially NationBuilder, a platform used by political campaigns worldwide. NationBuilder has admitted that it might be the source of some pieces of information included in the leaky database, but the company denied being responsible for the database itself.
Shortly after finding the 191 million records, Vickery identified a second database containing more than 56 million records. Roughly 37 million of these records included the details of voters in states whose name starts with the letters A through I, except D.C, Illinois and Iowa. The information was similar to the one found in the database containing 191 million records, but it had been updated more recently, in April 2015.
The other approximately 19 million records included additional personal details about each individual, including their income level, employment, and whether they were a charity donor, a religious donor, a health donor, a political donor, and a gun owner. The records also specified if a certain individual had any political party affiliations and if they were interested in hunting/fishing and auto racing.
Evidence suggests United in Purpose owns the databases
According to DataBreaches.net, which worked with Vickery in analyzing the exposed information, the second database contains clues indicating that it could belong to a company called Pioneer Solutions, Inc. The researcher discovered that when someone signs up on Pioneer Solutions’ website, they get a confirmation email associated with a domain belonging to United in Purpose, a right-wing conservative social welfare organization.
Both Pioneer Solutions and United in Purpose are run by Bill Dallas, a former real-estate entrepreneur convicted for embezzlement. After his release in 1995, Dallas launched a communications firm for churches and wrote a book about how his life changed after spending time in a maximum-security prison.
United in Purpose uses data mining to identify Christians who are not registered to vote. According to a 2012 report from NPR, the company has been building a profile for each citizen to determine if they are “very serious” about their faith. Unregistered people whose profiles show that they are conservative Christians are then contacted by the organization.
The system assigns points to determine if an individual is a conservative Christian. Points are given if an individual likes NASCAR or fishing, if they are on traditional marriage or anti-abortion lists, if they attend church regularly, and if they home-school their kids.
This type of information matches the one found in the second database identified by Vickery. Furthermore, in 2012, United in Purpose reported that its database had already contained the details of 180 million adults in the United States.
DataBreaches.net wrote to Pioneer Solutions via its contact form and it received a response from Tamas Cser, the CEO of web design and application development company Digital Smart Technologies.
Both the database containing 191 million records and the one containing 56 million records were secured within 12 hours after DataBreaches was contacted by Cser. The Digital Smart Technologies CEO has denied that they manage the first database and claimed to be investigating the second database leak. It’s worth noting that the two databases were found on different IP addresses.
Based on the type of exposed information and since both databases were secured on the same day, Vickery believes United in Purpose is responsible for exposing voter records.
“Here's my take on it: United in Purpose are ultra-conservative, anti-abortion, religious fanatics with Tea Party affiliations and they were most likely leaking America's personal details to the world,” Vickery said.
SecurityWeek has contacted United in Purpose, Pioneer Solutions and Digital Smart Technologies for comment.