Contractor’s Security Lapse Exposes Data on Millions of Voters

A contractor for the Republican National Committee (RNC) has exposed the personal data of 198 million Americans online, raising alarms about the security of election systems across the U.S., according to a report published this week by Gizmodo.

The investigative report by the cyber security company UpGuard, asserts that Deep Root Analytics, a data firm aligned with conservatives, stored voter data on a cloud-based server accessible to anyone, without password protection. Data stored on the server included “more than a terabyte” of information including home addresses, birthdays, phone-numbers, and analytical data on ideological tendencies of people and their political beliefs. The Hill reports that the database could be as large as 25 terabytes, consisting of data on 61% of Americans.

The report underscores longstanding concerns among voter security advocates about the vulnerability of voter data to cyberattacks.

UpGuard said it assumes that information in the Deep Root database is accurate because the two contributors to its report, Christopher Vickery, a cyber-risk researcher, and Dan O’Sullivan, the author, “looked themselves up in these spreadsheets, confirming that the files contained accurate and sensitive personal information.”

Political groups like the RNC contract with Deep Root for analyses that help them better target ads, and predict the effectiveness of their messaging. Gizmodo said the data held by Deep Rot “[shed] light onto the increasingly advanced data ecosystem that helped propel President Donald Trump’s slim margins in key swing states.”

Gizmodo confirmed that Deep Root Analytics, an organization which Federal Election Commission records indicate received 983,000 dollars from the RNC last year, is responsible for the aggregation of the data and its accuracy.

Gizmodo reports that these types of files are typically sought after by campaigns, but the lax security surrounding them suggests a larger issue for election information storage. “This [leaked information] is valuable for people who have nefarious purposes,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told Gizmodo.

Gizmodo asserts that “because campaigns are short-term operations, there’s not much incentive for them to take data security seriously, and valuable data is often left out to rust after an election.”

Post-election, campaigns have no incentive to protect voter information. “Voter data rapidly goes stale and campaigns close up shop quickly, so data is seen as disposable and often isn’t well-protected,” Gizmodo said.

This breach not an isolated incident. Bloomberg Politics reported last week that Russian agents attempted to penetrate voter databases in 35 states during the 2016 presidential election. During testimony to the Senate Intelligence committee two weeks ago, former FBI director James Comey said that these kinds of attacks were focused on destabilizing democracy, and that their Russian perpetrators would not be giving in anytime soon.  

On March 1, news outlets in Atlanta reported a breach of voter data at Kennesaw State University, which handles voter information for the entire state. The governor’s office called the Federal Bureau of Investigation after discovering the magnitude of the hack.

The Data Root breach and Russia’s hacking spotlight the need to beef up online security as election administrators modernize voting systems across the country. Businesses victimized by computer hackers can write off their losses as part of the cost of doing business. Votes that are lost or altered cannot be recovered.

 ###