A Republican data firm — one of three contracted to work on Donald Trump’s presidential campaign — inadvertently exposed personal information on nearly 200 million American voters to the entire internet.
For purposes of comparison, consider the fact that 128 million Americans voted in the last election.
A California-based security researcher discovered the exposed information, which formed the backbone for Trump’s data operation. Chris Vickery, a cyberrisk analyst for UpGuard, found the database that, according to UpGuard, contained records from the presidential campaigns of 2008, 2012 and 2016. Vickery also discovered in 2015 a trove of voter data related to 191 million people that was released publicly online.
Data that included home addresses, birthdates, religious backgrounds, ethnic identities, party affiliations, Reddit usage history was stored on a server belonging to Deep Root Analytics, which compiled the information with two other Republican National Committee contractors, TargetPoint Consulting and Data Trust.
With data combined from the two other contractors Deep Root created a “proprietary analysis to help inform local television ad buying,” Gizmodo reported. Deep Root's predictive model used that data to pinpoint a voter's position on 46 different issues, including how likely he or she was to have supported Obama in 2012 or to agree with Trump's "America first" slogan. (Citizenship can be gleaned from public sources, but this model involves combining it with other types of information to create profiles of individual voters.)
But as UpGuard discovered, the Republican-linked election database was stored on an Amazon cloud server without any password protection. Anyone who knew where to look could have accessed the data simply by navigating to the specific Amazon domain and downloading the sensitive information.
On its website, Deep Root says it "prides itself on presenting large-linked data sets in a useful, easy-to-use and compelling way" and that the team is "the most experienced group of targeters in Republican politics."
A data scientist for Deep Root, Alex Lundry, worked on Gov. Jeb Bush’s presidential campaign. During his failed 2015 presidential bid, Bush released hundreds of thousands of voter emails, many of which contained social security numbers and home addresses.
From 2015 t0 2016, the RNC paid Lundry’s firm $983,000.
"We take full responsibility for this situation," Deep Root said in a statement on Monday.
“This is valuable for people who have nefarious purposes,” the Center for Democracy and Technology’s chief technologist, Joseph Lorenzo Hall, told Gizmodo.
Vickery, who first discovered the UpGuard breach and called it “largest U.S. voter data leak,” also noted thatDeep Root also houses the files of Kantar Group, a major media and market research company with offices in Beijing and Moscow. UpGuard's Dan O’Sullivan further explained on his company's website:
This exposure raises significant questions about the privacy and security Americans can expect for their most privileged information. It also comes at a time when the integrity of the US electoral process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to our most important democratic and governmental institutions.
That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling. The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.
What is beyond debate in 2017 is the increasing inability to trust in the integrity of information technology systems, particularly at scale.