U.S. Voter Data Compromised by RNC Consultant

UpGaurd, a California-based cybersecurity firm, found that as many as 198 million voter records were exposed to anyone with rudimentary search techniques.

by Tim Johnson, McClatchy Washington Bureau / June 20, 2017
Shutterstock

(TNS) -- WASHINGTON — A Virginia data firm working for the Republican National Committee left voting records of 198 million Americans exposed on the internet and accessible to anyone, a California cybersecurity firm said Monday.

The data firm not only left exposed the vast national database but also precise and painstaking projections for most voters of their projected attitudes on a variety of issues including Obamacare, lower taxes, immigration, fossil fuels and environmental consciousness.

The records were exposed to anyone who knew rudimentary search techniques, said UpGuard, a Mountain View, Calif., cybersecurity firm, but the records have since been secured again.

The enormous national database included names, dates of birth, home addresses, phone numbers, party affiliation, racial demographics and voter registration status, UpGuard said in its internet post.

Following a series of hacks on political parties last fall, and attempts by Russia to access election rolls and machinery at the state and local level, the vulnerability of the U.S. electoral process has become a hot topic on Capitol Hill, including a House intelligence panel hearing to take place Wednesday on “Russian active measures during the 2016 election campaign.”

UpGuard’s disclosure raises even deeper questions about the responsibilities of political parties and private firms in securing and protecting data that is parsed and dissected through increasingly high-powered analytic tools.

“The fact is that if you’re a registered voter, your personal information was exposed here. I think that will be troubling to a lot of people,” said Dan O’Sullivan, a cyber resilience analyst at UpGuard.

The RNC-linked firm, Deep Root Analytics, of Arlington, Va., issued a statement saying the information “was accessed without our knowledge.” Controls were since put in place “to prevent further access. We take full responsibility for this situation.”

The company, which said the data was used for targeted television advertising, said network access settings were changed some time after June 1, leaving the data vulnerable but providing only a small window of time for exposure. It added that it believed UpGuard’s researcher, Chris Vickery, was the only person to have downloaded the data. It said it had hired a Washington cybersecurity firm, Stroz Friedberg, to review how the vulnerability happened.

“Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root Analytics said in the statement.

O’Sullivan said the information was kept by Amazon Web Services, a cloud-based storage provider, and was not password-protected.

“If we can find that, anyone can find that,” O’Sullivan said. “It didn’t take anyone with special engineering.”

The United States has roughly 200 million registered voters, so the data exposed would encompass nearly the entire universe of U.S. voters.

Vickery, who was working as part of UpGuard’s Cyber Risk Team, discovered a data repository on Amazon Web Services June 12 and downloaded it, a total of 1.1 terabytes of data, equivalent to 500 hours of video, the company said.

Vickery, who is noted for finding sensitive information on the internet in the past, guessed a subdomain name — “dra-dw” — which stands for Deep Root Analytics-data warehouse, UpGuard said. Vickery notified federal authorities of the matter June 14, and it was quickly secured.

Voting records are public, but access is not always freely available and can be restricted in terms of use. Massive databases of aggregated national voter rolls have become more valuable in political campaigns with each passing election, allowing for micro-targeting of campaigns down to the individual.

Working with Deep Root Analytics in compiling the data were two other firms with strong ties to the Republican National Committee, Target Point Consulting Inc. and Data Trust, UpGuard said, and all were involved in President Donald Trump’s 2016 campaign.

In addition to the general database information were files on U.S. voters containing 9.5 billion projections, calculated on a scale of zero to one and with precision to the sixth decimal point, on voting tendencies in past presidential elections and on a series of 46 issues, UpGuard said.

“It’s not just who you voted for. It’s, you know, ‘Do you agree that companies shouldn’t be allowed to ship jobs overseas?’ Do you agree with President Trump’s America First foreign policy? Do you agree we need to move away from fossil fuels?’” O’Sullivan said.

O’Sullivan said employees looking in the database for their own records and projections found them “to be quite accurate” for themselves.

UpGuard does not plan to hang on to the databases.

“We don’t want this on our hands. Essentially, we want to hang onto it only so long as the authorities require it, and then get rid of it, permanently delete the data,” O’Sullivan said.

©2017 McClatchy Washington Bureau Distributed by Tribune Content Agency, LLC.