Thursday, December 2, 2021
Dec. 2, 2021

Linkedin Pinterest

Republican contractor’s database of nearly every voter was left exposed on the internet for 12 days, researcher says


Detailed information on nearly every U.S. voter — including in some cases their ethnicity, religion and views on political issues — was left exposed online for two weeks by a political consultancy that works for the Republican National Committee and other GOP clients.

The data offered a strikingly complete picture of the voting histories and political leanings of the American electorate laid out on an easily downloadable format, said cyber-security researcher Chris Vickery. He discovered the unprotected files of 198 million voters in a routine scan of the Internet last week and alerted law enforcement officials.

The precision and volume of the information, including dozens of data points on individual Republicans, Democrats and independent voters, highlights the rising sophistication of the data-mining efforts that have become central to modern political campaigns.

In some cases, that included which voters are suspicious of Wall Street and pharmaceutical firms, or who reluctantly voted for Hillary Clinton or supports the Affordable Care Act, Vickery said.

“They’re using this information to create political dossiers on individuals that are now available for anyone,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These political data firms might as well be working for the Russians.”

The data found by Vickery, who studies cyber-security risk for the Silicon Valley startup UpGuard, was compiled by GOP political consultant Deep Root Analytics, based on voter lists maintained by the RNC and augmented by other sources.

Deep Root did not disclose those sources but political research firms for years have been collecting information on voters from data brokers, social media postings, polling and other contacts with voters.

The company also kept information on Americans’ voting histories and their reported enthusiasm for Trump, Vickery said. Some of the files assigned voters a score based on their views of 46 different issues ranging from immigration to trade. Nearly 170 gigabytes of the exposed data consisted of social media posts scraped from Reddit, he added.

Among the data are unique RNC identifiers for each voter, Vickery said. The files also potentially offered insight into party strategy for tracking and organizing voters.

“What is alarming about this now is that I believe it’s the first time RNC IDs and model data have been exposed,” said Matt Oszcowski, a veteran GOP political data strategist who recently started his own political fundraising company, Campaign Inbox. “This is not just a list of people; this is unique proprietary information which gives away (Republican) strategy and informs on targeting and methodology.”

The files do not appear to include Social Security or credit card information, as has leaked in some major commercial data breaches. Nor is it clear if anyone other than Vickery gained unauthorized access to the files during the two weeks they were left without a password or other security before the problem was discovered on June 12.

But malicious hackers routinely conduct such scans of the Internet looking for unprotected files they can exploit. And to those who may have found them, the files painted a detailed portrait of virtually all of America’s roughly 200 million voters — revealing their names, addresses, birth dates and phone numbers. The information was being stored by Amazon Web Services.

The voter files found by Vickery, he said, added up to “billions of data points” that, in the wrong hands, could easily be abused.

“With this data you can target neighborhoods, individuals, people of all sorts of persuasions,” said Vickery in an interview. “I could give you the home address of every person the RNC believes voted for Trump.”

In a statement, Deep Root blamed the lapse in security on a settings change, and said it had hired an outside firm to conduct an independent investigation. “We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root said.