UpGuard: RNC Firm Exposed Data Of 198 Million American Voters

UpGuard revealed that a misconfigured database made the personal information of 198 million U.S. voters publicly available to anyone who went looking for it. The security company said this is the "largest known data exposure of its kind," and that the data includes 1.1TB of "entirely unsecured personal information" collected by three data firms hired by the Republican National Committee (RNC) during the 2016 presidential election.

The exposed information includes the "names, dates of birth, home addresses, phone numbers, and voter registration details" of nearly all of America's registered voters, UpGuard said in its disclosure, "as well as data described as 'modeled' voter ethnicities and religions." The company said the data was collected by TargetPoint Consulting, Data Trust, and Deep Root Analytics (DRA) and stored on a publicly accessible server managed by DRA. All three firms have connections to the GOP and were hired to help the party win the 2016 presidential election.

TargetPoint, Data Trust, and DRA have not released statements about this disclosure. TargetPoint and DRA have not responded to our requests for comment, and a Data Trust spokesperson said, "We are aware of Deep Root's situation, but inquiries about it need to be directed to them."


UpGuard cyber risk analyst Chris Vickery discovered the misconfigured database on June 12. Besides the 1.1TB of publicly accessible information, another 24TB of secured data was stored on the server. Vickery downloaded the public info between June 12 and June 14, at which point UpGuard notified "federal authorities" about the leak. DRA is said to have blocked public access to all of the server's data shortly after that disclosure. It's not clear for how long the server was publicly accessible, or how many people downloaded the data before it was secured.

This leak highlights the dangers of collecting personal information about hundreds of millions of people. It's worth driving home the point that nobody stole this data--it was made publicly available to anyone who went looking for it. Besides harming U.S. voters' privacy, the information and analysis affected by this leak could put people at risk of phishing campaigns or other, more damaging attacks.

The revelation of personal data might not be the most damaging aspect of this leak. That dubious honor belongs to spreadsheets that sought to answer questions, according to UpGuard, "ranging from how likely it is the individual voted for Obama in 2012, to whether they agree with the Trump foreign policy of 'America First,' to how likely they are to be concerned with auto manufacturing as an issue, among others." UpGuard's Dan O'Sullivan said he was able to "view his modeled policy preferences and political actions as calculated by TargetPoint" and that they were "astoundingly accurate."

Those models could help hackers personalize their attacks. It's easier to make someone click on a link, download a file, or otherwise let their guard down with more carefully targeted attacks. So-called spear-phishing attacks are often more successful than mass emails from "Nigerian princes" willing to shower you with riches if you front them a few bucks. The information and analysis exposed by this leak would make those targeted attacks much easier to conduct. Almost everyone who was registered to vote in the 2016 election could now be in danger.

Unfortunately, there's nowhere to go but down from here. As UpGuard said in its disclosure:

The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide; indeed, while those responsible for this exposure are of one party, the 198 million Americans affected span the entire political spectrum, their information revealed regardless of their political beliefs. The same factors that have resulted in thousands of previous data breaches—forgotten databases, third-party vendor risks, inappropriate permissions—combined with the RNC campaign operation to create a nearly unprecedented data breach. [...] Despite the breadth of this breach, it will doubtlessly be topped in the future—to a likely far more damaging effect—if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems.

Political parties, private companies, and other organizations are only going to become more reliant on big data. Knowledge is power, after all, and databases like this hold all the knowledge that the powerful could want. It makes it easier for politicians to win elections, companies to target advertisements, and other organizations to boost their own effectiveness. Unfortunately, the apparent inability to secure this information means it will also be used to attack the people behind the data, whether it's by breaching an organization's systems or accessing a public server.

Create a new thread in the UK News comments forum about this subject
No comments yet
    Your comment