The exposed databases were part of a 25TB bunch of files in an Amazon Cloud account belonging to the data analytics firm Deep Root Analysis.
"In terms of the disk space used, this is the biggest exposure I've found. In terms of the scope and depth, this is the biggest one I've found," Vickery said. The files had a 198 million-entry database containing names, and addresses plus an "RNC ID" that could be used, in conjunction with other exposed files, to research individuals.
In its analysis of the discovery, Upguard wrote: "The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting and Data Trust.
"In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modelled' voter ethnicities and religions.
Upguard said Vickery had found the database on 12 June, "while searching for misconfigured data sources on behalf of the Cyber Risk Team, a research unit of UpGuard devoted to finding, securing, and raising public awareness of such exposures".
It said that payments by the RNC to two of the companies totalled more than US$5 million. "Between January 2015 and November 2016, the RNC paid TargetPoint US$4.2 million for data services, and gave Causeway around US$500,000 in that time, according to Federal Election Commission reports. Deep Root, acting as Needle Drop, was paid US$983,000 by the RNC."
Upguard said the exposure raised serious questions about the level of privacy and security that Americans could expect for their most privileged information.
"It also comes at a time when the integrity of the US electoral process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to our most important democratic and governmental institutions."
Commenting on the incident, Forcepoint chief executive Matt Moynahan said: "The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality – more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees.
"Regardless of whether organisations are securing data using on-premises or cloud-based technology, like in the case of Deep Root Analytics, organisations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property.
"They should look at people and protect against those behaviours that could result in the loss of valuable data or IP. Governments and corporations would make sustainable progress against these sorts of breaches only with a blend of human-centric security technologies, policies, cultural changes and intelligent systems that can observe cyber behaviour and decipher intent."