Connect with us

Hi, what are you looking for?


Data Protection

Republican Party Contractor Exposes Details of 198 Million American Voters

More than 1 terabytes of data compiled by three contractors of the U.S. Republican Party, including the details of 198 million American voters, were stored in a misconfigured database that could have been accessed by anyone, according to cyber resilience startup UpGuard.

More than 1 terabytes of data compiled by three contractors of the U.S. Republican Party, including the details of 198 million American voters, were stored in a misconfigured database that could have been accessed by anyone, according to cyber resilience startup UpGuard.

Researcher Chris Vickery, who recently joined UpGuard as a risk analyst, discovered the unprotected Amazon Web Services (AWS) S3 bucket containing the data on June 12. Federal authorities were notified on June 14 – after all the data was downloaded – and the database was secured on the same day.

The database included information such as name, date of birth, home address, phone number, voter registration status, political views, and data on race and ethnicity.American voter data exposed by Republicans

UpGuard’s analysis showed that the unprotected cloud server was managed by Deep Root Analytics, a company that offers a data management platform for targeted TV advertising. The firm, which bills itself as “the most experienced group of targeters in Republican politics,” has taken responsibility for the incident.

Deep Root Analytics said the exposed data included both proprietary information and publicly available voter data. The company said there was no evidence that anyone other than Vickery accessed the files.

According to UpGuard, the exposed files suggested that at least two other companies, TargetPoint Consulting and Data Trust, also contributed to the database. TargetPoint is a market research and knowledge management firm whose services were used by President George W. Bush in his 2004 campaign, and Data Trust is the “exclusive data provider” of the Republican National Committee (RNC).

Deep Root Analytics, TargetPoint Consulting and Data Trust all played an important role in the recent campaign of President Donald Trump.

“Like political operatives, hackers constantly search for ways to move a person to take a particular action. This database, with political preferences and other private information for millions of Americans, is a treasure trove for creative hackers,” said Adam Levin, chairman and founder of CyberScout. “They can pose as anyone from a political action committee or local voting board to the IRS or a bank in phishing emails, to coax additional information from voters, such as social security numbers for identity theft, or they can influence the voting process directly.”

“Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene. This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as continual monitoring for unusual data exfiltration,” Levin added.

Advertisement. Scroll to continue reading.

As for Deep Root Analytics’ failure to secure the data, Paul Fletcher, cyber security evangelist at Alert Logic, pointed out that Amazon offers the tools needed to protect cloud instances.

“The fact that this exposure was discovered on a public cloud site is irrelevant, in fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly set up, maintained and audited by the organization (and in this case), the organization’s customer – the GOP,” Fletcher told SecurityWeek. “Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”

This was not the first time Vickery discovered an exposed database containing the details of U.S. voters. Back in December 2015, he stumbled upon personal information on 191 million Americans. A few months later, he identified a database storing the records of Mexican voters.

Related Reading: U.S. Defense Contractor Exposes Sensitive Military Data

Related Reading: 55 Million Exposed After Hack of Philippine Election Site

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...