198 Million Americans Hit By 'Largest Ever' Voter Records Leak

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server, reports say. From a ZDNet article: It's believed to be the largest ever known exposure of voter information to date. The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication. This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign. Further reading: Republican Data-Mining Firm Exposed Personal Information for Virtually Every American Voter - The Intercept; The RNC Files: Inside the Largest US Voter Data Leak - Upguard; Data on 198M voters exposed by GOP contractor Data On 198M Voters Exposed By GOP Contractor - The Hill.

"Leak"

[Anonymous Coward]

Pay a nominal fee to the right company and you have access to all voter records nationwide.

This is "a matter of public record" in the information age: zero privacy.

Re: "Leak"

[Anonymous Coward]

Already public data was made public! Make a big deal out of it, because Republicans!

Re:

[HornWumpus]

It could be a violation of the analytic firms licence for the collated data...

Re: "Leak"

[ShanghaiBill]

According to TFA, the "leaked" data contained much more than just public data. It contained info on religion, political persuasions, issues that you care about, etc. TFA doesn't say where that info came from, but most likely from donation records, social media scraping, and on-line tracking.

As far as we know, the data was temporarily exposed, but wasn't actually leaked, and is not publicly available. That is too bad. I would be really curious to see what they think of me.

Re:

[Anonymous Coward]

It contained info on religion, political persuasions, issues that you care about, etc.

Well... rather it contained their guesses about religion, political persuasions, issues, etc. There's no prohibition against making such guesses about someone. They are probably as you say basing it on donation records, social media scraping, and other voluntary disclosures by individuals.

I was also curious to see what they thought of me, but as you say it appears there was no leak.

Re:

[CyberNigma]

"but most likely from donation records, social media scraping, and on-line tracking"

only the first item is most likely (but not necessarily) non-public data. the latter two could very well depending on how it was posted/obtained. privacy settings and who they shared posts with determine whether it was public or not.

Re:

[Vlad_the_Inhaler]

The people who collected the data stated it was "only" available for a maximum of just over two weeks. Well - they would say that. I suppose it would have been illegal if Vickery had nosed around a bit more and looked at their logs.

Re:

[fustakrakich]

I would be really curious to see what they think of me.

Sorry, you are #198,000,001, so you didn't make the list.

Re:

[xystren]

Another example of issues with electronic storage. Information stored on paper, inherently has security within the medium itself. It is very difficult to walk out with a warehouse of paper files without being noticed (or the amount of time it would take), where as with electronic , you can walk out with the equivalent of multiple warehouses of paper records in your pocket.

Unfortunately big data is not going away. Worst part for us, we have no idea where that information is stored, who has access to it, and

Re:

[Anne Thwacks]

Unfortunately big data is not going away.

Au contraire, mon frere - the problem is that big data is travelling around the world all too freely!

Misleading title

[chispito]

There's no indication that it was accessed prior to disclosure, so it may or may not have been, strictly speaking, "leaked." I'd be interested in exactly what kind of data this is, as I'm struggling to think of who I would want to have marketing info on me less than one of the Big Two political parties.

From TFA

We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said.

Re:

[deadwill69]

And how would anyone need to hack a system with no username and/or password:

"What UpGuard appears to have discovered, sitting on an Amazon cloud storage drive with no password or username required for access by anyone on the internet,"
https://theintercept.com/2017/... [theintercept.com]

I don't think anyone needs to hack that to get it.

Re:

[HornWumpus]

That ship sailed.

Munging up a URL has been 'hacking' for decades now.

Re:

[chispito]

And how would anyone need to hack a system with no username and/or password:

"What UpGuard appears to have discovered, sitting on an Amazon cloud storage drive with no password or username required for access by anyone on the internet," https://theintercept.com/2017/... [theintercept.com]

I don't think anyone needs to hack that to get it.

Read between the lines. He means the data does not appear to have been ACCESSED prior to disclosure. He used the word "hacked" to control the narrative and keep the focus off how incompetent they were. Just like people who "hack" celebrity accounts by guessing easy passwords or security questions.

Re:Misleading title

[evolutionary]

"Leak" (not "leaked" as is deliberately published) was use to indicate something like a leaky faucet. There is a relatively formal term in the IT security field called "data leakage" which means sensitive data creeping outside of company/owner boundries without the intent of the owner Whether it be through casual email, carelessly posting files to a public server for at home convenience, or sending out files into a public space without encryption/password. The new buzzword for this rapid growing field of data loss (or leakage) prevention is DLP. (Data Loss Prevention)

What the article is saying is the firm was as careless with their collected data as many people are when posting on facebook. It didn't even have to be "hacked" it was wide open. BTW, the claim that to the best of their knowledge only one person has accessed that data is a pretty lame response. The fact that the data was publicaly exposed for anyone to see at all shows amateur level of negligence.

People with this mass amount of data should have better protocols for data exchange of authorized parties (obviously).

There could well be legal repercussions from this because who you vote for is the most sacred form of privacy in a democracy. This compromises people's ability to vote without possible retaliation from friends, colleagues, employers or even governments. This is a seriously BIG deal. When your voting preferences cannot be kept private, you can't vote freely. I personally believe everyone should vote, but if you voting records are up for grabs in cyberspace, anyone could be pressure you. Hopefully people will stop foolishly giving their voting data or political preferences to marketing firms directly or indirectly. There is being friendly, then there is being careless.

Re:

[rholtzjr]

Agreed, it sound to me their wasn't even a faucet that you had to turn in order to access data, so a "leak" is a misnomer. There was just an open pipe directly into the data itself. Now I would be more curious as to WHO set this environment up and neglected to follow ANY security procedures what so ever. This was inexcusable 20 years ago, I do not think that standard has changed.

Re:

[evolutionary]

I do agree with you in spirit, but with the amount of data being careless left "in the wild" on Amazon data servers these days it seems to be "common practice" to leave sensitive data in some insecure space. It's almost as if people WANT leave this data for others to get. I mean, even non-techies know the word "encryption" these days but I have seen (and patched in many cases) all sorts of data being left in the wild because some unthinking person said "what are the odds?", or "who is going to care" or " th

Re:

[chispito]

You may be right. however

There could well be legal repercussions from this because who you vote for is the most sacred form of privacy in a democracy.

It's still a private ballot. If you told someone who you voted for and they intentionally or unintentionally tell someone else... that's as much your fault as theirs.

Re:

[evolutionary]

True but...when you get these companies they always tell you your answers are treated "confidentially" so they say "trust us" and give you assurances that often get proved incorrect. But of course the phone operators are told the data IS secure. How would they know? Whenever I get calls there types of data I'm always asked and I say "no answer". "how will you vote", "what party are you most likely to support", "what is your income/revenue". Especially the income. People often have trouble saying "no" and th

Re:

[xtsigs]

People with this mass amount of data should have better protocols for data exchange of authorized parties (obviously).

People should not have vast amounts of data. Period.

No Biggie

[Anonymous Coward]

The Donald confirms they were all fake democrat registrations anyway.

Voter records are public

[GrEp]

Commonly referred to as the "VAN", State voter participation records, even for party primaries/caucus, are a matter of public record. Who you voted for may be confidential, but that you showed up and voted isn't.

Larger political organizations go the extra mile to annotate these records and aggregate them. They even have door to door pollsters that go around to those who have voted recently and target them with polling questions.

IMHO it is a good thing this is open to the wider public, and not just in the hands of a few with the deep pockets to aggregate it.

Re:

[SYSS Mouse]

Also to decide whom to pressure/suppress so that they will not vote

Re:

[Anonymous Coward]

The names of people on the vote roll are public. The addresses belonging to those names are semi-public (they are public, by most definitions, but generally not available in an unlimited manner to the general public, because some on the list may be private (unlisted, or could be used to connect stalkers to their prey). The private markup to those voters added by the GOP is most certainly not public.

not so simple

[Anonymous Coward]

It is not ONLY state records it contains additional profiling information. The additional information is the thing to worry about here. Regardless of the accuracy of the information it could be abused in many ways. It could find it's way into other profiling systems and you could be denied a job because the employer doesn't like certain groups and their only source of that information is breaches such as this one.

The billions spent on elections likely will produce the best profiling data on citizens along

American voters from all political parties

[Errol backfiring]

American voters from all political parties

What? Both of them?

(I know there are more political parties in the USA, but Americans themselves do not seem to know it.)

Re:

[93 Escort Wagon]

(I know there are more political parties in the USA, but Americans themselves do not seem to know it.)

The way our electoral college works means we effectively have only two national political parties. This does not have any effect on other elections, so you will occasionally see senators or congressmen from third parties - and, as you drill down to more local elections, this becomes more common (but not THAT common, even so).

Re:

[sabbede]

It's not because of the Electoral College. It's due to how we elect people from the local level on up to Congress. It even has a name - Duverger's Law. Single member districts with first past the post voting = a 2 party system.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[sabbede]

Close, but it's actually due to how we elect. It's called Duverger's Law.

Re:

[thegarbz]

Americans know that quite well. What you don't seem to know is that they are irrelevant due to the system which will prevent them from ever being in power.

First past the post will always tend to a 2 party system eventually.

So... basically all of us?

[daemonhunter]

198 million records of people over the age of 18 and registered to vote... isn't that basically "everyone who's registered to vote?" Or dang near?

Anyone with more spare research cycles? How many registered voters are in america currently?

Re:

[daemonhunter]

http://www.politico.com/story/... [politico.com] is the first I found, and that's 10/2016, at 200 million.

Re:

[Rick Schumann]

Just checked that myself. It's more or less 230 million.

Re:

[HornWumpus]

That's really interesting. Population about 310 million...about 70 million under 18...230 million registered...

How many non citizens again? How many ineligible?

Re:

[OrangeTide]

How many non citizens again? How many ineligible?

Only black felons are ineligible. All the white felons and illegal immigrants are automatically registered to vote.

Swell

[Greyfox]

Can we class-action sue them if they leaked our data? If we get the usual $10 gift certificate to Hot Topic, that'd be a cool couple billion dollars. It would also propel Hot Topic to the top of the stock market.

Re:

[Rick Schumann]

Hot Topic

With the direction most Americans' waistlines is going, it'd better be a gift certificate for Torrid, not Hot Topic. *drum hit*

Re:

[Revek]

Wow! Great idea, for 10 bucks I can buy one of those Mario Brothers mushroom tins with the really shitty candy inside.

Re:

[Anonymous Coward]

Probably not successfully. The "leak" (the data may not even have actually been accessed, so no harm done) was comprised of public information such as "names, dates of birth, home addresses, phone numbers, and voter registration details", coupled with inferences they made themselves from data voluntarily disclosed by voters, which they are free to do with as they wish as it is the result of their own research and algorithms.

It's very unlikely such a lawsuit would succeed though of course you could always t

They shouldn't be allowed any voter information

[Revek]

They have no inherit right to that information. Its really non of their business at all. They shouldn't be allowed to gather any information on voters unless the voter allows them. I know its unlikely since they now want to be able to harass us with messages straight to our voicemail.

Re:

[Opportunist]

Of course they don't. That's why they paid for it.

I love how our society progresses. In the dark ages, you could be bought and sold by the aristocracy. In our enlightened society of today, only your data can be traded anymore.

Well, mostly 'cause you don't have to feed and shelter data, but hey...

Re:

[Revek]

Thanks its always nice to know the grammer ------- nazi will ignore the content to address the small things.

No commas were harmed in this rebuttal.

Re:

[gnick]

Incorrect word usage isn't an example of bad grammar? Maybe I need to stay after class.

Re:

[Revek]

My god, I've got them monologuing!

Re:

[BronsCon]

For non-native English speakers it may not be clear that, although "They have no receive as an heir at the death of the previous holder right to that information" makes little sense, the intended meaning was actually "They have no existing in something as a permanent, essential, or characteristic attribute right to that information."

Mind you, neither of those sentences makes a lot of sense when you replace the word with its full and proper definition, but the problem does become apparent. One of them can

Re:

[EvilSS]

They have no inherit right to that information. Its really non of their business at all. They shouldn't be allowed to gather any information on voters unless the voter allows them. I know its unlikely since they now want to be able to harass us with messages straight to our voicemail.

Then you should start talking to the states because voter records are public info and can be access for free by most local party committees and campaigns/parties/action groups/etc can pay the state for state-wide records in a wide variety of formats. Much of the time it's available on the county clerk website for anyone who pinkie-swears it's for a legitimate use (i.e. you are not allowed to use it for commercial purposes such as solicitations for products, etc).

Re:

[sabbede]

Because what's more fun than a civil war? Last one only killed 2% of the population, so that's only 6 million of us murdered by friends and neighbors today. Plus a few thousand gang rapes. All in good fun and it bypasses all that annoying political discourse and civil society nonsense.

Where can I get my hands on that?

[ne1av1cr]

That's some great data right there.

I fail to see the importance of the data

[Lucas123]

The data is relatively common and something you can find in any census or online "white pages," with perhaps the exception of the political party you're registered with. How is this information sensitive in nature?

Re:

[Anonymous Coward]

You are absolutely correct. I've worked as an precinct inspector and precinct coordinator since 1996, and all voter data is PUBLIC RECORD. The registered voter roster is posted on the front door of every precinct on election day, and anyone can read it. The full county voter registration database is freely provided to every candidate running for office, to every political party with ballot access and to anyone else who wants to pay $200 to the county registrar of voters for a CD-ROM of the entire database.

Re:

[Lucas123]

So, you're saying it's marketing data. Yawn. There's no "narrative" here. Just looking objectively at what actually leaked and how important it is. This isn't social security numbers or healthcare information. It's information about who you'd likely voted for. And, you know what, children insult and ridicule because they're unable to make substantial arguments without it. Go look in the mirror.

Re:

[SnarkSide]

Addresses and dates of birth are more than basic marketing data. Nothing is going to change with this shit until until there is some consequence. The law doesn't recognize information disclosure that increases risk of identity theft to be harm, so doesn't allow class action suits. The view is no harm, means no standing, but that is bullshit. Information exposure itself is harm and negligent handling of personal data should be a criminal act.

Re:I fail to see the importance of the data

[dgatwood]

It's information about who you'd likely voted for.

Which is, frankly, much worse than leaking Social Security numbers or health data. If they had leaked the SSN of everyone in America, it would force some real reform of the credit agencies, preventing them from treating an SSN as proof of identity, but overall, the public wouldn't be harmed. If anything, they would be helped by exposing the notion of "identity theft" as the credit-agency contrivance (fraud) that it is.

And the worst-case scenario for leaking health data is embarrassment if somebody got an STD, but that would quickly become uninteresting to people because it would also quickly demonstrate how many people do. You might occasionally have hiring bias by people who want to avoid their health insurance costs going up, but I would not expect that to be common (because it is quite illegal).

But exposing everyone's likely voting behavior is a grievous violation of personal privacy. Ask a Republican in a majority-Democrat region or a Democrat in a majority-Republican region, and ask them if they think that the people around them would be less likely to hire them if they knew their political affiliation. Ask them if it will affect their ability to socialize. And so on. Thus, voting data can be easily abused to pressure people into conformity.

Worse, that small-scale abuse has the potential to shift the balance of elections, which means that leaking this data potentially has a national impact as well as an individual impact. Based on that, I would argue that party affiliation and likelihood of voting for a given party is quite possibly the most private information that anyone can have about you, and that making that information available publicly is one of the worst breaches of the public's trust that a political organization can commit.

Re:

[rholtzjr]

Not really, census data is not open to the public and penalties are in place for any who expose it. "White pages" (that I have seen) usually only expose the age, not the exact birth date. As birth date is a piece of the puzzle for identity thieves, I am not sure this is as innocuous as you are presenting.

Political party....

[gatfirls]

While that information may be publicly available to one degree or another I don't think I would want it *freely* available to the next lunatic with a political axe to grind who lives down the street.

Re:

[Carewolf]

The data is relatively common and something you can find in any census or online "white pages," with perhaps the exception of the political party you're registered with.

How is this information sensitive in nature?

It is combined with all the data they bought from 3rd party aggregators, like facebook, ad companies and everybody else tracking and contains everything you have ever done that has been registered by soulless entity.

Re:

[etudiant]

There are about 200 million voter records and 24 terabytes of data, so about 100,000 bytes/voter.
That is lot more than just vote records or census data.
The person who uncovered this data pool did note that it included among other things projections of each voters opinions and likely vote patterns, with surprising accuracy insofar as he was concerned, based on what his own profile showed.

This leak shines a spotlight on...

[albacrankie]

In my case, the spotlight is on managers who say, "put everything on S3".

Poor Hillary

[kenh]

The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign.

And look, it worked - too bad Obama's former campaign workers (now ensconced in his "Organizing For America" non-profit, which was fully-formed from his 2012 "Obama For America" campaign) were unavailable to Hillary...

Re:

[jeff4747]

They were available. They just weren't sufficiently adoring to run her campaign.

What to do about breaches

[Jake Kendall]

It is scary when you start to realize how our information is not safe. It seems like new compromises are happening daily. But luckily there is a place where you can check if your information has been previously breached from other similar data leaks and breaches for free at https://heroic.com/ [heroic.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:What to do about breaches

[Obfuscant]

It has https in the url, so of course it is a safe site. Don't you know nothin bout the interwebs?

Re:

[account_deleted]

Comment removed based on user account deletion

Why does everybody ignore all the warnings?

[rbrander]

After Sony, we quickly heard their security was worthless - every VP who wanted to watch some video somewhere could get another hole punched in the firewall.
Then the Democrats were "hacked" by.... asking for the top guy's password, which was promptly given!
Warning after warning that we aren't taking this seriously. I'd love to make some stupid partisan remark about this ("these are the people who mocked Clinton for a potential data exposure that never happened?!!?") but the fact is that everybody has done incredibly stupid crap like this, are still doing it, and will continue.

Until we get some kind of worse event, I guess. What will it take!?!

Public Record is a Leak?

[Bobberly]

Florida voter records are public record and available freely to anyone that asks. That isn't a leak, it's called open government. What's the issue here again?

Re:

[Train0987]

There are still a few countied in Florida where voter rolls are NOT public info. that dates back to the Voting Rights Act and voter intimidation. A few counties are still highly protected. Florida is the exception, however.

Re:

[dave420]

If you'd read the article (I know, I know) you'd see there is a lot more than just public records in this data, hence the article in the first place.

Re:

[OrangeTide]

R.I.P. Democracy. We hardly knew ye [wikipedia.org]

Bit Misleading

[omaha393]

From Wapo: "It is not known whether the information has been accessed by anyone but Vickery." So not really a confirmed hit/leak, just a serious vulnerability at this point.

Re:

[Ol Olsoc]

From Wapo: "It is not known whether the information has been accessed by anyone but Vickery." So not really a confirmed hit/leak, just a serious vulnerability at this point.

All you have to do is believe them. Me - nah. Although I suppose whoever the Republicans are sending this to has what I just typed in 3..2..1..

On purpose

[Ryanrule]

Seems intentional. Why make the russians hack when you can just be incompetent.

Winning winning

[Ol Olsoc]

Winning.

There is absolutely no reason for regular people to safeguard anything about themselves, because the Government, and the Universities, and the hospitals, and the department stores simply give it away for free.

And I suspect that the Republican party simply made a few of their best friends aware of this tiny little "mistake", and their new owner is very, very pleased.

Re:

[Opportunist]

What? Did the bus already arrive?

Re:

[rbrander]

Well, the democratic effort has been famous and bragged-about for several years, during which time it's never been described as anything but huge. It's like you're complaining about some story talking about the "Multi-Hundred-Billion-Dollar Russian Submarine program, seen as an effort to catch up with American submarines"...for not stressing for the thousandth time that America spends more on military (including submarines) than anybody. That's real famous, too.

(PS: The Russians do not have hundreds of bi

Re:

[Captain Splendid]

Well, they certainly are heavily stacked in favour of "billionaires willing to bankroll all manner of tv and print organizations." The Dems only have one.

Re:

[Anonymous Coward]

The Democrats' effort isn't really relevant to the article because it wasn't their data that was exposed. In an article talking about R. Scalise being shot while practicing for a baseball game, do you expect them to also talk about a time that a Dem was shot in the past? If you want an article that might sound negative about the Dems, wait until something actually happens that involves them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[ssufficool]

So umm, just send out an email to all the voters telling them to reset their password???