Unprotected RNC files exposed data on voters
A Republican National Committee database of nearly every registered American voter was left vulnerable to theft on a public server for 12 days this month, according to a cybersecurity researcher who found and downloaded the trove of data.
The lapse in security was striking for putting at risk the identities, voting histories and views of voters across the political spectrum, with data drawn from a wide range of sources including social media, public government records and proprietary polling by political groups.
Chris Vickery, a risk analyst at cybersecurity firm UpGuard, said he found a spreadsheet of nearly 200 million Americans on a server run by Amazon’s cloud- hosting business that was left without a password or any other protection. Anyone with Internet access who found the server could also have downloaded the entire file.
The server contained data from Deep Root Analytics, a contractor to the Republican National Committee, which used Amazon Web Services for server storage. Vickery said he came upon the server’s address as he scanned the Internet for unsecured databases.
“With this data you can target neighborhoods, individuals, people of all sorts of persuasions,” Vickery said in an interview. “I could give you the home address of every person the RNC believes voted for [ President Donald] Trump.”
It is not known whether the information has been accessed by any one but Vickery. Gizmodo was first to report details of the data vulnerability Monday. The Washington Post has not reviewed the file.
The RNC did not immediately comment. In a statement, Deep Root founder Alex Lundry told Gizmodo, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.
In all, the leaked files amount to more than 1,000 gigabytes of data — more than four times the size of any previous breach of this type, according to Vickery. The data fields included views on specific issues including abortion, gun rights and environmental issues, he said.
The detailed file does not stop at Trump supporters, but likely includes Democrats, independents and many voters in between, he said. At a time when even many Americans protect their most basic emails and photos using passwords and two- step authentication, the security missteps by Deep Root Analytics, the contractor behind the breach, represent a form of gross negligence, he added.
The file has been secured now for several days, Vickery said, adding that he informed law enforcement of the vulnerability after discovering it.
“What is alarming about this now is that I believe it’s the first time RNC IDs and model data have been exposed,” said Matt Oszcowski, a veteran GOP political data strategist. “This is not just a list of people; this is unique proprietary information which gives away [ Republican] strategy and informs on targeting and methodology.”
Privacy experts expressed alarm over the breach, which they said shows how deeply personal data has become integrated into the modern political campaign.
“They’re using this information to create political dossiers on individuals that are now available for anyone,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These political data firms might as well be working for the Russians.”