The political preferences and personal data of more than 198 million US citizens were left exposed on a publicly accessible Amazon cloud server of a Republican Party contractor. The 1.1 terabytes of vulnerable data includes sensitive personal details like birth dates, addresses, and voter registration data, as well as advanced models of voter preferences on political issues ranging from Trump’s foreign policy to gun control.
Deep Root Analytics, a GOP-hired marketing and data analytics firm, confirmed to Gizmodo that it had amassed the leaked data from sources ranging from subreddits to the records of conservative super PACs. Deep Root, which was founded by a former data director for Romney’s unsuccessful presidential bid in 2012, conducts big data analytics to help Republican campaigns tailor political advertisements to specific demographics. Federal Election Commission filings show that the GOP retained the services of Deep Root during Trump’s presidential campaign, paying out $983,000 to the firm between January 2015 and November 2016.
The leak, which affects well over half of the US population, constitutes the largest data breach of its kind. To say that it was the result of lax security would be an understatement as the information lacked basic password protection and was retrievable by anyone with a URL to the database. The existence of the unguarded data warehouse was discovered on June 12 by Chris Vickery, a cyber risk analyst at UpGuard, who reported the vulnerability to the Republican National Committee.
Deep Root believes the vulnerability occurred when it changed its security settings at the beginning of June, meaning the trove was left exposed for 12 days. It has hired a cybersecurity firm to investigate and updated the access settings to the data trove. In a statement, Deep Root accepted responsibility for the leak and noted that Vickery may have been the only individual to access the data: “We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery.”
Large-scale data breaches have become increasingly common in both the private and public sector (both the RNC and DNC were hacked during 2016 election)– a trend that shows no signs of slowing and underscores the urgent need for greater accountability. And while it appears so far that no malicious parties hacked Deep Root’s data warehouse, they very well could have exploited it for all manner of nefarious purposes ranging from political intimidation to identity theft. Moreover, the latest incident points to alarming flaws in the US electoral process, particularly with regard to the insecurity of voter databases held by public institutions, political organizations on both sides of the aisle, and private corporations.
As UpGuard puts it: “That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling. The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”
To put it differently, the status quo permits firms like Deep Root to amass sensitive data and leave it unsecured. “I can think of no avenues for punishing political data breaches or otherwise properly aligning the incentives. I worry that if there’s no way to punish campaigns for leaking this stuff, it’s going to continue to happen until something bad happens”, the Center for Democracy and Technology’s chief technologist, Joseph Hall, said to Gizmodo.
And barring any sweeping changes, UpGuard states that this leak will “doubtlessly be topped in the future”.