Personal data on nearly 200 million US voters—representing 61% of the total population and the majority of eligible voters of the count—was discovered to be stored on an insecure Amazon server and thus exposed to potential compromise.
That makes it the largest leak of voter data of all time.
The information, compiled at the behest of the Republican Party, includes home addresses, birthdates and phone numbers, plus analytics data that suggests who a person is likely to vote for and why, along with their stances on hot-button issues like the Second Amendment, stem cell research and abortion. Ethnicity and religious data was also included.
Deep Root Analytics, a conservative marketing firm contracted by the Republican National Committee, stored the internal documents on a publicly accessible Amazon server for 12 days. The data totaled more than a terabyte, and was stored without password protection—it could be accessed by anyone who found the URL. It had collated the information from a variety of sources, including Karl Rove’s super-PAC American Crossroads, Kantar Media and even the American Civil Liberties Union.
“We take full responsibility for this situation,” said Deep Root founder Alex Lundry told Gizmodo. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access…Based on the information we have gathered thus far, we do not believe that our systems have been hacked.”
UpGuard cyber-risk analyst Chris Vickery discovered Deep Root’s data by simply searching for data publicly accessible on Amazon’s cloud service.
Paul Fletcher, cybersecurity evangelist at Alert Logic, told us that the issue really doesn’t revolve around the use of the public cloud, but rather how that cloud was used.
“The fact that this exposure was discovered on a public cloud site is irrelevant,” he said. “In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organixation (and in this case), the organization’s customer—the GOP. Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”
It’s significant that, once again, a third party is the weak link.
“When hackers are after your data, they’ll target trusted relationships, usually through a third-party with access to your network,” said Fred Kneip, CEO at CyberGRX, via email. “In the case of the Target breach, it was a small HVAC vendor who may not have viewed information security as a core competency or high priority. The fact that exposure can occur even through a big data firm versed in data security best practices goes to show that all third parties, regardless of the resources they have to secure your data, are potential attack vectors.”
While no formal assessment has been made as to whether the information actually has been tapped by bad actors, “the potential for this type of data being made available publicly and on the Dark Web is extremely high,” said Fletcher. “The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customized social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link."