Voter database was exposed on internet, security firm says
WASHINGTON—A Virginia data firm working for the Republican National Committee left voting records of 198 million Americans exposed on the internet and accessible to anyone, a California cybersecurity firm said Monday.
The data firm not only left exposed the vast national database but also precise and painstaking projections for most voters of their projected attitudes on a variety of issues including Obamacare, lower taxes, immigration, fossil fuels and environmental consciousness.
The records were exposed to anyone who knew rudimentary search techniques, said UpGuard, a Mountain View, Calif., cybersecurity firm, but the records have since been secured again.
The enormous national database included names, dates of birth, home addresses, phone numbers, party affiliation, racial demographics and voter registration status, UpGuard said in its internet post.
Following a series of hacks on political parties last fall, and attempts by Russia to access election rolls and machinery at the state and local level, the vulnerability of the U.S. electoral process has become a hot topic on Capitol Hill, including a House intelligence panel hearing to take place Wednesday on “Russian active measures during the 2016 election campaign.”
UpGuard’s disclosure raises even deeper questions about the responsibilities of political parties and private firms in securing and protecting data that is parsed and dissected through increasingly high-powered analytic tools.
“The fact is that if you’re a registered voter, your personal information was exposed here. I think that will be troubling to a lot of people,” said Dan O’Sullivan, a cyber resilience analyst at UpGuard.
The RNC-linked firm, Deep Root Analytics, of Arlington, Va., issued a statement saying the information “was accessed without our knowledge.” Controls were since put in place “to prevent further access. We take full responsibility for this situation.”
The company, which said the data was used for targeted television advertising, said network access settings were changed some time after June 1, leaving the data vulnerable but providing only a small window of time for exposure.
It added that it believed UpGuard’s researcher, Chris Vickery, was the only person to have downloaded the data. It said it had hired a Washington cybersecurity firm, Stroz Friedberg, to review how the vulnerability happened.
“Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root Analytics said in the statement.
O’Sullivan said the information was kept by Amazon Web Services, a cloud-based storage provider, and was not password-protected.
“If we can find that, anyone can find that,” O’Sullivan said. “It didn’t take anyone with special engineering.”
The United States has roughly 200 million registered voters, so the data exposed would encompass nearly the entire universe of U.S. voters.