GOP contractor confirms responsibility in leak affecting 200 million US citizens
Image credit: Dreamstime
A data firm contracted by the US Republican National Committee (RNC) has confirmed that it is responsible for the leak of hundreds of millions of Americans’ personal details. More than a terabyte of data had been stored on a publicly accessible server.
The data was discovered by Chris Vickery, a cyber risk analyst at UpGuard, who described the discovery as “perhaps the largest known exposure of voter information in history.” The Deep Root server had been left on a cloud server between June 1 and June 12 2017.
“The data repository, an Amazon Web Services S3 bucket, lacked any protection against access,” the UpGuard blog reports. “As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw”.”
The internal documents contain personal information such as voters’ addresses, dates of birth, suspected religious and racial identity, and “sentiment analyses”, used to determine where voters stand on sensitive issues such as abortion rights. More than 198 million voters were affected; this is 62 per cent of the US population.
The data was collected by Deep Root Analytics, and other companies (including the Data Trust, and Americans for Prosperity”, Republican super PACs (including Karl Rove’s American Crossroads), and even a banned subreddit, r/fatpeoplehate.
According to the Federal Election Commission, last year, the RNC paid Deep Root nearly a million dollars to identify audiences for specialised political advertisements. The data leak sheds some light on the rapidly advancing world of data analytics for “political microtargeting”, which contributed towards Donald Trump’s victory in the US Presidential Election. Small advances in vital swing states saw Trump collect more electoral college votes than his rival, despite receiving fewer votes overall.
“It is not the first time that a security research scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data,” said Itsik Martin, director of security research at Imperva. “What’s unique in this event is the quantity and the sensitivity of the data that was kept negligently.”