Home Security American voter data left unsecured on Internet

American voter data left unsecured on Internet

Data on 198 million potential American voters was left exposed on the Internet without a password by a contractor for the US Republican National Committee, a researcher has found.

The exposed databases were part of a 25TB bunch of files in an Amazon Cloud account belonging to the data analytics firm Deep Root Analysis.

The account was found by Upguard employee Chris Vickery who regularly discovers such caches online. But he told The Hill that this discovery was much bigger than any he has seen before.

"In terms of the disk space used, this is the biggest exposure I've found. In terms of the scope and depth, this is the biggest one I've found," Vickery said. The files had a 198 million-entry database containing names, and addresses plus an "RNC ID" that could be used, in conjunction with other exposed files, to research individuals.

As an example, The Hill cited a a 50GB file of "Post Elect 2016" information, last updated in mid-January. It had modelled data about a voter's likely positions on 46 different issues ranging from "how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of 'America First' and how likely they are to be concerned with auto manufacturing as an issue, among others".

In its analysis of the discovery, Upguard wrote: "The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting and Data Trust.

"In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modelled' voter ethnicities and religions.

Upguard said Vickery had found the database on 12 June, "while searching for misconfigured data sources on behalf of the Cyber Risk Team, a research unit of UpGuard devoted to finding, securing, and raising public awareness of such exposures".

It said that payments by the RNC to two of the companies totalled more than US$5 million. "Between January 2015 and November 2016, the RNC paid TargetPoint US$4.2 million for data services, and gave Causeway around US$500,000 in that time, according to Federal Election Commission reports. Deep Root, acting as Needle Drop, was paid US$983,000 by the RNC."

Upguard said the exposure raised serious questions about the level of privacy and security that Americans could expect for their most privileged information.

"It also comes at a time when the integrity of the US electoral process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to our most important democratic and governmental institutions."

Commenting on the incident, Forcepoint chief executive Matt Moynahan said: "The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality – more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees.

"Regardless of whether organisations are securing data using on-premises or cloud-based technology, like in the case of Deep Root Analytics, organisations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property.

"They should look at people and protect against those behaviours that could result in the loss of valuable data or IP. Governments and corporations would make sustainable progress against these sorts of breaches only with a blend of human-centric security technologies, policies, cultural changes and intelligent systems that can observe cyber behaviour and decipher intent."

LEARN NBN TRICKS AND TRAPS WITH FREE NBN SURVIVAL GUIDE

Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.