More than 1 terabytes of data compiled by three contractors of the U.S. Republican Party, including the details of 198 million American voters, were stored in a misconfigured database that could have been accessed by anyone, according to cyber resilience startup UpGuard.
Researcher Chris Vickery, who recently joined UpGuard as a risk analyst, discovered the unprotected Amazon Web Services (AWS) S3 bucket containing the data on June 12. Federal authorities were notified on June 14 – after all the data was downloaded – and the database was secured on the same day.
The database included information such as name, date of birth, home address, phone number, voter registration status, political views, and data on race and ethnicity.
UpGuard’s analysis showed that the unprotected cloud server was managed by Deep Root Analytics, a company that offers a data management platform for targeted TV advertising. The firm, which bills itself as “the most experienced group of targeters in Republican politics,” has taken responsibility for the incident.
Deep Root Analytics said the exposed data included both proprietary information and publicly available voter data. The company said there was no evidence that anyone other than Vickery accessed the files.
According to UpGuard, the exposed files suggested that at least two other companies, TargetPoint Consulting and Data Trust, also contributed to the database. TargetPoint is a market research and knowledge management firm whose services were used by President George W. Bush in his 2004 campaign, and Data Trust is the “exclusive data provider” of the Republican National Committee (RNC).
Deep Root Analytics, TargetPoint Consulting and Data Trust all played an important role in the recent campaign of President Donald Trump.
“Like political operatives, hackers constantly search for ways to move a person to take a particular action. This database, with political preferences and other private information for millions of Americans, is a treasure trove for creative hackers,” said Adam Levin, chairman and founder of CyberScout. “They can pose as anyone from a political action committee or local voting board to the IRS or a bank in phishing emails, to coax additional information from voters, such as social security numbers for identity theft, or they can influence the voting process directly.”
“Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene. This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as continual monitoring for unusual data exfiltration,” Levin added.
As for Deep Root Analytics’ failure to secure the data, Paul Fletcher, cyber security evangelist at Alert Logic, pointed out that Amazon offers the tools needed to protect cloud instances.
“The fact that this exposure was discovered on a public cloud site is irrelevant, in fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly set up, maintained and audited by the organization (and in this case), the organization’s customer – the GOP,” Fletcher told SecurityWeek. “Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”
This was not the first time Vickery discovered an exposed database containing the details of U.S. voters. Back in December 2015, he stumbled upon personal information on 191 million Americans. A few months later, he identified a database storing the records of Mexican voters.
Related Reading: U.S. Defense Contractor Exposes Sensitive Military Data
Related Reading: 55 Million Exposed After Hack of Philippine Election Site
