198 million Americans hit by `largest ever` voter records leak

Source: ZD Net, 19/06/2018

A huge trove of voter data, including personal information and
voter profiling data on what`s thought to be every registered US
voter dating back more than a decade, has been found on an exposed
and unsecured server, ZDNet has learned.
It`s believed to be the largest ever known exposure of voter
information to date.
The various databases containing 198 million records on American
voters from all political parties were found stored on an open
Amazon S3 storage server owned by a Republican data analytics
firm, Deep Root Analytics.
ELECTION 2016
Ballots in several key battleground US states may be nearly
impossible to verify.
UpGuard cyber risk analyst Chris Vickery, who found the exposed
server, verified the data. Through his responsible disclosure, the
server was secured late last week, and prior to publication.
This leak shines a spotlight on the Republicans` multi-million
dollar effort to better target potential voters by utilizing big
data. The move largely a response to the successes of the Barack
Obama campaign in 2008, thought to have been the first data-driven
campaign.
Through a handful of companies, including data firms, market
researchers, and analytics providers, the GOP replicated that
Obama campaign strategy by helping its political candidates make
data-based decisions about their campaigns.
The exposed records include files provided by Data Trust, a data
warehouse created by the GOP to serve as its exclusive data
provider of voter records. The company sells and supplies voter
data to political candidates, who rely on access to the data in
order to shape their campaigns.
According to UpGuard, the folder includes dozens of spreadsheets
containing a unique GOP identifier for each voter for the 2008 and
2012 presidential campaigns, which link to `dozens of sensitive
and personally identifying data points, making it possible to
piece together a striking amount of detail on individual Americans
specified by name.` A folder containing 2016 data only included
files for Ohio and Florida, two crucial battleground states.
Each record lists a voter`s name, date of birth, home address,
phone number, and voter registration details, such as which
political party a person is registered with. The data also
includes `profiling` information, voter ethnicities and religions,
and various other kinds of information pertinent to a voter`s
political persuasions and preferences, as modeled by the firms`
data scientists, in order to better target political advertising.
Senior executives at Data Trust would not speak on the record
prior to publication.
The exposed server was also found to contain gigabytes of data
from TargetPoint, a conservative market research firm focused on
helping candidates better understand voters` policy preferences
and political actions. Some of these files, says UpGuard, contain
millions of entries that appear to rate voters on the post-
election likelihood of supporting a certain policy, candidate, or
belief on a scale of `very unlikely` to `very likely.`
Dozens of data breaches, millions of people affected.
Deep Root, which claims to be the `most experienced group of
targeters in Republican politics,` uses that wealth of data to
help its political clients make better decisions when buying
television advertising air-time.
That, the hope is, allows prospective Republican candidates and
their committees to target pro-trade Republicans who might vote
blue, and Democrats who want tighter immigration controls who can
be convinced to vote red.
Alex Lundry, co-founder of Deep Root, confirmed the company owned
the Amazon S3 storage server, and said in an email that company
has taken `full responsibility for this situation.`
`Deep Root Analytics has become aware that a number of files
within our online storage system were accessed without our
knowledge,` said Lundry.
`The data that was accessed was, to the best of our knowledge
proprietary information as well as voter data that is publicly
available and readily provided by state government offices. Since
this event has come to our attention, we have updated the access
settings and put protocols in place to prevent further access.`
We accept full responsibility, will continue with our
investigation, and based on the information we have gathered thus
far, we do not believe that our systems have been hacked,` he
said.
This isn`t the first batch of voter data found by Vickery.
Vickery, who we profiled on ZDNet earlier this year, found 87
million Mexican voter records in an exposed database in 2016.
He was also responsible for discovering several US voter databases
online totaling 18 million voters, and the state of Louisiana`s
entire database of 2.9 million voters.
Deep Root`s exposure also appears to be larger than the 191
million voter records exposed in late 2015, and another massive
leak of 154 million voter records a year later.