RNC files on 198M voters left exposed to hackers
Information about as many as 198 million registered voters was left on an open online database and only taken down when it was discovered by a cyber security analyst.
The data was stored on publicly accessible files in an Amazon cloud account used by a data analytics contractor employed by the Republican National Committee to help it identify potential audiences for television ads.
Deep Root Analytics’ main database included names, dates of birth, home addresses, phone numbers and voter registration details for more than 198 million registered voters, as well as data that looked as if it attempted to guess each voter’s ethnicity and religion based on other information collected about them.
The RNC said it had halted any further work with the company pending the conclusion of an investigation into its security procedures. No proprietary RNC information was accessed, it said.
The discovery comes after a year of political turmoil during
which the servers of the Democratic National Committee were hacked and leaked. The attack has been attributed by federal intelligence officials to Russia, and former Democratic presidential candidate Hillary Clinton has placed some of the blame for her loss on the release of the emails.
In this case, the RNC files were not hacked but instead were simply posted online without password protection. They were discovered by Chris Vickery, a cyber risk analyst with the company UpGuard who spends his days looking for exposed data online. He said the 25 terabytes of data was the biggest exposed data cache he has ever found. “It’s really rare to come across something of this magnitude,” he said.
Vickery discovered the files on June 12. He notified federal officials, and the files were removed from public access June 14, he said. The files were stored on Amazon’s AWS cloud storage, which requires passwords by default. In this case, someone would have needed to deliberately set the security to not require passwords.
While no directory of files was visible online, to access them it was only necessary to understand the naming conventions typically used for database files on AWS and then use wild cards to search for possible hits, Vickery said.
Vickery said companies sometimes remove password protection because it slows down the ability of developers or other contractors to work with data, or sometimes simply because it is easier.
Deep Root Analytics said in a statement it took full responsibility for the situation. It has updated the account settings and put protocols in place to prevent further access.