Political data gathered on more than 198 million US citizens was exposed

[bill ruggirello]

Gizmodo reported on a blog post by IT Security company UpGuard which revealed the largest US voter data leak to date.

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server and was available for 12 days for anyone with the URL.

The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population. UpGuard cyber risk analyst Chris Vickery discovered Deep Root’s data online last week.

Deep Root Analytics, a conservative data firm that identifies audiences for political ads, confirmed ownership of the data to Gizmodo on Friday.

But wait, there's more...

Apart from personal details, the data also contained citizens' suspected religious affiliations, ethnicities and political biases, such as where they stood on controversial topics like gun control, the right to abortion and stem cell research.

This type of data can easily be used for nefarious purposes, from identity fraud to harassment or intimidation of people who hold an opposing political view.

Worst of all, this is a spear phishing gold mine!

Who got their hands on this data?

It's not clear. What we know for sure is that UpGard's Chris Vickery found it. Twelve days on the Internet is a very long time. Bad guys are scanning for misconfigured databases 24/7 so the chances are high.

In a statement, Deep Root founder Alex Lundry told Gizmodo, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.

First, deny everything...

Deep Root’s data was exposed after the company updated its security settings on June 1, Lundry said. Deep Root has retained Stroz Friedberg, a cybersecurity and digital forensics firm, to investigate. “Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Lundry added.

Yeah, right. First, you deny everything. Later, bit by bit, the truth comes out. For the moment, you should assume the data was breached.