The following article by Brian Fung, Craig Timberg and Matea Gold was posted on the Washington Post website June 19, 2017:
A Republican analytics firm’s database of nearly every registered American voter was left vulnerable to theft on a public server for 12 days this month, according to a cybersecurity researcher who found and downloaded the trove of data.
The lapse in security was striking for putting at risk the identities, voting histories and views of voters across the political spectrum, with data drawn from a wide range of sources including social media, public government records and proprietary polling by political groups.
Chris Vickery, a risk analyst at cybersecurity firm UpGuard, said he found a spreadsheet of nearly 200 million Americans on a server run by Amazon’s cloud hosting business that was left without a password or any other protection. Anyone with Internet access who found the server could also have downloaded the entire file.
The server contained data from Deep Root Analytics, which created a database of information from a variety of sources including the Republican National Committee, one of the company’s clients. Deep Root Analytics used Amazon Web Services for server storage, and Vickery said he came up on the server’s address as he scanned the Internet for unsecured databases.
“With this data you can target neighborhoods, individuals, people of all sorts of persuasions,” said Vickery in an interview. “I could give you the home address of every person the RNC believes voted for Trump.”
It is not known whether the information has been accessed by anyone but Vickery. But if it was, it would represent perhaps the largest political data breach in American history.
Gizmodo reported details of the data vulnerability Monday. The Washington Post has not reviewed the file.
The RNC did not provide immediate comment, and Deep Root did not immediately respond to multiple requests for comment. But in a statement to Gizmodo, Deep Root founder Alex Lundry said, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.
“Deep Root Analytics has taken full responsibility for this situation and the RNC has halted any further work with the company pending the conclusion of their investigation into security procedures,” the RNC said in a statement. “While Deep Root has confirmed the information accessed did not contain any proprietary RNC information, the RNC takes the security of voter information very seriously and we require vendors to do the same.”
In all, the leaked files amount to more than 1,000 gigabytes of data — more than four times the size of any previous breach of this type, according to Vickery. The exposed data also contained records of voters’ views on specific issues including gun control, abortion and environmental issues, he said. Overall, Vickery said, there were billions of data points and 170 GB of social media posts scraped from Reddit alone.
The detailed file does not stop at Trump supporters, but includes Democrats, independents and many voters in between, he said. At a time when even many Americans protect their most basic email accounts and photos using passwords and two-step authentication, the security missteps by Deep Root Analytics, the contractor behind the breach, represent a form of gross negligence, he added.
The file has been secured now for several days, Vickery said, adding that he informed law enforcement of the vulnerability after discovering it.
“What is alarming about this now is that I believe it’s the first time RNC IDs and model data have been exposed,” said Matt Oszcowski, a veteran GOP political data strategist. “This is not just a list of people; this is unique proprietary information which gives away [Republican] strategy and informs on targeting and methodology.”
Privacy experts expressed alarm over the breach, which they said shows how deeply personal data has become integrated into the modern political campaign.
“They’re using this information to create political dossiers on individuals that are now available for anyone,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These political data firms might as well be working for the Russians.”
Both parties, as well as independent political groups, have been increasing the detail and volume of their data-collection efforts for several campaign cycles, peaking in 2016. Privacy experts have warned for years that this has happened with little oversight from federal or state officials.
“Perhaps the biggest privacy problem here is the fact that the Republicans have all this information about voters in the first place,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a civil liberties group. “At some point in the past, parties picked a platform and voters decided on it. But with these databases, political operations can promise very different and increasingly contradictory things to different people, and that may be turning into a serious problem for democracy.”
Deep Root Analytics’ unprotected server may have exposed data compiled by the Data Trust, the private data company hired by the Republican National Committee to update its voter file, Vickery said. The RNC data was part of a costly effort to improve the party’s data collection and analysis in the wake of the 2012 election.
The RNC poured more than $20 million into data services in the 2016 cycle, according to Federal Election Commission records. Of that, $6.2 million went to Data Trust, which has an exclusive list-sharing agreement with the national party.
That allows the company to swap RNC voter data with independent big-money groups such as American Crossroads, American Action Network and the Koch political network, helping enrich the party’s master voter file.
For its part, Deep Root Analytics worked for at least 14 GOP political committees in the 2016 cycle, FEC records show. Among its clients: House Speaker Paul Ryan’s campaign committee and his allied House super PAC; the Senate Leadership Fund, a super PAC aligned with American Crossroads and Senate Majority Leader Mitch McConnell; and former Florida governor Jeb Bush’s presidential campaign and allied super PAC.
There are no reported payments from the RNC to Deep Root. However, the party spent $983,000 on “polling services/consulting” with a company called Needle Drop, which is a subsidiary of Deep Root, according to AdAge.
“There is much more of a life cycle here at the RNC now that revolves around data,” then-RNC chief of staff Katie Walsh told The Post in July 2015. “Everything we do here comes back to, ‘How does that improve the voter file?’”
(Amazon chief executive Jeffrey P. Bezos owns The Washington Post)
Correction: An earlier version of this story incorrectly stated that the database that was vulnerable to theft belonged to the Republican National Committee. In fact, the data came from the RNC and other sources and was assembled by Deep Roots .
View the post here.