Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government United States Politics

198 Million Americans Hit By 'Largest Ever' Voter Records Leak (zdnet.com) 119

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server, reports say. From a ZDNet article: It's believed to be the largest ever known exposure of voter information to date. The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication. This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign. Further reading: Republican Data-Mining Firm Exposed Personal Information for Virtually Every American Voter - The Intercept; The RNC Files: Inside the Largest US Voter Data Leak - Upguard; Data on 198M voters exposed by GOP contractor Data On 198M Voters Exposed By GOP Contractor - The Hill.
This discussion has been archived. No new comments can be posted.

198 Million Americans Hit By 'Largest Ever' Voter Records Leak

Comments Filter:
  • "Leak" (Score:2, Informative)

    by Anonymous Coward

    Pay a nominal fee to the right company and you have access to all voter records nationwide.

    This is "a matter of public record" in the information age: zero privacy.

    • Re: "Leak" (Score:1, Informative)

      by Anonymous Coward

      Already public data was made public! Make a big deal out of it, because Republicans!

      • It could be a violation of the analytic firms licence for the collated data...

      • Re: "Leak" (Score:5, Informative)

        by ShanghaiBill ( 739463 ) on Monday June 19, 2017 @11:09AM (#54648047)

        According to TFA, the "leaked" data contained much more than just public data. It contained info on religion, political persuasions, issues that you care about, etc. TFA doesn't say where that info came from, but most likely from donation records, social media scraping, and on-line tracking.

        As far as we know, the data was temporarily exposed, but wasn't actually leaked, and is not publicly available. That is too bad. I would be really curious to see what they think of me.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          It contained info on religion, political persuasions, issues that you care about, etc.

          Well... rather it contained their guesses about religion, political persuasions, issues, etc. There's no prohibition against making such guesses about someone. They are probably as you say basing it on donation records, social media scraping, and other voluntary disclosures by individuals.

          I was also curious to see what they thought of me, but as you say it appears there was no leak.

        • "but most likely from donation records, social media scraping, and on-line tracking"

          only the first item is most likely (but not necessarily) non-public data. the latter two could very well depending on how it was posted/obtained. privacy settings and who they shared posts with determine whether it was public or not.

        • The people who collected the data stated it was "only" available for a maximum of just over two weeks. Well - they would say that. I suppose it would have been illegal if Vickery had nosed around a bit more and looked at their logs.

        • I would be really curious to see what they think of me.

          Sorry, you are #198,000,001, so you didn't make the list.

    • by xystren ( 522982 )

      Another example of issues with electronic storage. Information stored on paper, inherently has security within the medium itself. It is very difficult to walk out with a warehouse of paper files without being noticed (or the amount of time it would take), where as with electronic , you can walk out with the equivalent of multiple warehouses of paper records in your pocket.

      Unfortunately big data is not going away. Worst part for us, we have no idea where that information is stored, who has access to it, and

      • Unfortunately big data is not going away.

        Au contraire, mon frere - the problem is that big data is travelling around the world all too freely!

  • Misleading title (Score:3, Interesting)

    by chispito ( 1870390 ) on Monday June 19, 2017 @10:35AM (#54647767)
    There's no indication that it was accessed prior to disclosure, so it may or may not have been, strictly speaking, "leaked." I'd be interested in exactly what kind of data this is, as I'm struggling to think of who I would want to have marketing info on me less than one of the Big Two political parties.

    From TFA

    We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said.

    • Re: (Score:3, Interesting)

      by deadwill69 ( 1683700 )

      And how would anyone need to hack a system with no username and/or password:

      "What UpGuard appears to have discovered, sitting on an Amazon cloud storage drive with no password or username required for access by anyone on the internet,"
      https://theintercept.com/2017/... [theintercept.com]

      I don't think anyone needs to hack that to get it.

      • That ship sailed.

        Munging up a URL has been 'hacking' for decades now.

      • And how would anyone need to hack a system with no username and/or password:

        "What UpGuard appears to have discovered, sitting on an Amazon cloud storage drive with no password or username required for access by anyone on the internet," https://theintercept.com/2017/... [theintercept.com]

        I don't think anyone needs to hack that to get it.

        Read between the lines. He means the data does not appear to have been ACCESSED prior to disclosure. He used the word "hacked" to control the narrative and keep the focus off how incompetent they were. Just like people who "hack" celebrity accounts by guessing easy passwords or security questions.

    • Re:Misleading title (Score:4, Interesting)

      by evolutionary ( 933064 ) on Monday June 19, 2017 @11:07AM (#54648035)
      "Leak" (not "leaked" as is deliberately published) was use to indicate something like a leaky faucet. There is a relatively formal term in the IT security field called "data leakage" which means sensitive data creeping outside of company/owner boundries without the intent of the owner Whether it be through casual email, carelessly posting files to a public server for at home convenience, or sending out files into a public space without encryption/password. The new buzzword for this rapid growing field of data loss (or leakage) prevention is DLP. (Data Loss Prevention)

      What the article is saying is the firm was as careless with their collected data as many people are when posting on facebook. It didn't even have to be "hacked" it was wide open. BTW, the claim that to the best of their knowledge only one person has accessed that data is a pretty lame response. The fact that the data was publicaly exposed for anyone to see at all shows amateur level of negligence.

      People with this mass amount of data should have better protocols for data exchange of authorized parties (obviously).

      There could well be legal repercussions from this because who you vote for is the most sacred form of privacy in a democracy. This compromises people's ability to vote without possible retaliation from friends, colleagues, employers or even governments. This is a seriously BIG deal. When your voting preferences cannot be kept private, you can't vote freely. I personally believe everyone should vote, but if you voting records are up for grabs in cyberspace, anyone could be pressure you. Hopefully people will stop foolishly giving their voting data or political preferences to marketing firms directly or indirectly. There is being friendly, then there is being careless.
      • Agreed, it sound to me their wasn't even a faucet that you had to turn in order to access data, so a "leak" is a misnomer. There was just an open pipe directly into the data itself. Now I would be more curious as to WHO set this environment up and neglected to follow ANY security procedures what so ever. This was inexcusable 20 years ago, I do not think that standard has changed.

        • I do agree with you in spirit, but with the amount of data being careless left "in the wild" on Amazon data servers these days it seems to be "common practice" to leave sensitive data in some insecure space. It's almost as if people WANT leave this data for others to get. I mean, even non-techies know the word "encryption" these days but I have seen (and patched in many cases) all sorts of data being left in the wild because some unthinking person said "what are the odds?", or "who is going to care" or " th
      • You may be right. however

        There could well be legal repercussions from this because who you vote for is the most sacred form of privacy in a democracy.

        It's still a private ballot. If you told someone who you voted for and they intentionally or unintentionally tell someone else... that's as much your fault as theirs.

        • True but...when you get these companies they always tell you your answers are treated "confidentially" so they say "trust us" and give you assurances that often get proved incorrect. But of course the phone operators are told the data IS secure. How would they know? Whenever I get calls there types of data I'm always asked and I say "no answer". "how will you vote", "what party are you most likely to support", "what is your income/revenue". Especially the income. People often have trouble saying "no" and th
      • by xtsigs ( 2236840 )

        People with this mass amount of data should have better protocols for data exchange of authorized parties (obviously).

        People should not have vast amounts of data. Period.

  • No Biggie (Score:2, Informative)

    by Anonymous Coward

    The Donald confirms they were all fake democrat registrations anyway.

  • by GrEp ( 89884 ) <crb002 AT gmail DOT com> on Monday June 19, 2017 @10:39AM (#54647801) Homepage Journal

    Commonly referred to as the "VAN", State voter participation records, even for party primaries/caucus, are a matter of public record. Who you voted for may be confidential, but that you showed up and voted isn't.

    Larger political organizations go the extra mile to annotate these records and aggregate them. They even have door to door pollsters that go around to those who have voted recently and target them with polling questions.

    IMHO it is a good thing this is open to the wider public, and not just in the hands of a few with the deep pockets to aggregate it.

    • Also to decide whom to pressure/suppress so that they will not vote

    • by Anonymous Coward
      The names of people on the vote roll are public. The addresses belonging to those names are semi-public (they are public, by most definitions, but generally not available in an unlimited manner to the general public, because some on the list may be private (unlisted, or could be used to connect stalkers to their prey). The private markup to those voters added by the GOP is most certainly not public.
    • by Anonymous Coward

      It is not ONLY state records it contains additional profiling information. The additional information is the thing to worry about here. Regardless of the accuracy of the information it could be abused in many ways. It could find it's way into other profiling systems and you could be denied a job because the employer doesn't like certain groups and their only source of that information is breaches such as this one.

      The billions spent on elections likely will produce the best profiling data on citizens along

  • American voters from all political parties

    What? Both of them?

    (I know there are more political parties in the USA, but Americans themselves do not seem to know it.)

    • (I know there are more political parties in the USA, but Americans themselves do not seem to know it.)

      The way our electoral college works means we effectively have only two national political parties. This does not have any effect on other elections, so you will occasionally see senators or congressmen from third parties - and, as you drill down to more local elections, this becomes more common (but not THAT common, even so).

    • Americans know that quite well. What you don't seem to know is that they are irrelevant due to the system which will prevent them from ever being in power.

      First past the post will always tend to a 2 party system eventually.

  • 198 million records of people over the age of 18 and registered to vote... isn't that basically "everyone who's registered to vote?" Or dang near?

    Anyone with more spare research cycles? How many registered voters are in america currently?

  • Can we class-action sue them if they leaked our data? If we get the usual $10 gift certificate to Hot Topic, that'd be a cool couple billion dollars. It would also propel Hot Topic to the top of the stock market.
    • Hot Topic

      With the direction most Americans' waistlines is going, it'd better be a gift certificate for Torrid, not Hot Topic. *drum hit*

    • by Revek ( 133289 )

      Wow! Great idea, for 10 bucks I can buy one of those Mario Brothers mushroom tins with the really shitty candy inside.

    • by Anonymous Coward

      Probably not successfully. The "leak" (the data may not even have actually been accessed, so no harm done) was comprised of public information such as "names, dates of birth, home addresses, phone numbers, and voter registration details", coupled with inferences they made themselves from data voluntarily disclosed by voters, which they are free to do with as they wish as it is the result of their own research and algorithms.

      It's very unlikely such a lawsuit would succeed though of course you could always t

  • They have no inherit right to that information. Its really non of their business at all. They shouldn't be allowed to gather any information on voters unless the voter allows them. I know its unlikely since they now want to be able to harass us with messages straight to our voicemail.

    • Of course they don't. That's why they paid for it.

      I love how our society progresses. In the dark ages, you could be bought and sold by the aristocracy. In our enlightened society of today, only your data can be traded anymore.

      Well, mostly 'cause you don't have to feed and shelter data, but hey...

    • by EvilSS ( 557649 )

      They have no inherit right to that information. Its really non of their business at all. They shouldn't be allowed to gather any information on voters unless the voter allows them. I know its unlikely since they now want to be able to harass us with messages straight to our voicemail.

      Then you should start talking to the states because voter records are public info and can be access for free by most local party committees and campaigns/parties/action groups/etc can pay the state for state-wide records in a wide variety of formats. Much of the time it's available on the county clerk website for anyone who pinkie-swears it's for a legitimate use (i.e. you are not allowed to use it for commercial purposes such as solicitations for products, etc).

  • That's some great data right there.
  • The data is relatively common and something you can find in any census or online "white pages," with perhaps the exception of the political party you're registered with. How is this information sensitive in nature?
    • by Anonymous Coward

      You are absolutely correct. I've worked as an precinct inspector and precinct coordinator since 1996, and all voter data is PUBLIC RECORD. The registered voter roster is posted on the front door of every precinct on election day, and anyone can read it. The full county voter registration database is freely provided to every candidate running for office, to every political party with ballot access and to anyone else who wants to pay $200 to the county registrar of voters for a CD-ROM of the entire database.

    • Not really, census data is not open to the public and penalties are in place for any who expose it. "White pages" (that I have seen) usually only expose the age, not the exact birth date. As birth date is a piece of the puzzle for identity thieves, I am not sure this is as innocuous as you are presenting.

    • While that information may be publicly available to one degree or another I don't think I would want it *freely* available to the next lunatic with a political axe to grind who lives down the street.

    • The data is relatively common and something you can find in any census or online "white pages," with perhaps the exception of the political party you're registered with.

      How is this information sensitive in nature?

      It is combined with all the data they bought from 3rd party aggregators, like facebook, ad companies and everybody else tracking and contains everything you have ever done that has been registered by soulless entity.

    • by etudiant ( 45264 )

      There are about 200 million voter records and 24 terabytes of data, so about 100,000 bytes/voter.
      That is lot more than just vote records or census data.
      The person who uncovered this data pool did note that it included among other things projections of each voters opinions and likely vote patterns, with surprising accuracy insofar as he was concerned, based on what his own profile showed.

  • by albacrankie ( 1017430 ) on Monday June 19, 2017 @11:22AM (#54648173)
    In my case, the spotlight is on managers who say, "put everything on S3".
  • The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign.

    And look, it worked - too bad Obama's former campaign workers (now ensconced in his "Organizing For America" non-profit, which was fully-formed from his 2012 "Obama For America" campaign) were unavailable to Hillary...

  • It is scary when you start to realize how our information is not safe. It seems like new compromises are happening daily. But luckily there is a place where you can check if your information has been previously breached from other similar data leaks and breaches for free at https://heroic.com/ [heroic.com]
  • After Sony, we quickly heard their security was worthless - every VP who wanted to watch some video somewhere could get another hole punched in the firewall.
    Then the Democrats were "hacked" by.... asking for the top guy's password, which was promptly given!
    Warning after warning that we aren't taking this seriously. I'd love to make some stupid partisan remark about this ("these are the people who mocked Clinton for a potential data exposure that never happened?!!?") but the fact is that everybody has done incredibly stupid crap like this, are still doing it, and will continue.

    Until we get some kind of worse event, I guess. What will it take!?!

  • Florida voter records are public record and available freely to anyone that asks. That isn't a leak, it's called open government. What's the issue here again?

    • There are still a few countied in Florida where voter rolls are NOT public info. that dates back to the Voting Rights Act and voter intimidation. A few counties are still highly protected. Florida is the exception, however.
    • by dave420 ( 699308 )

      If you'd read the article (I know, I know) you'd see there is a lot more than just public records in this data, hence the article in the first place.

  • From Wapo: "It is not known whether the information has been accessed by anyone but Vickery." So not really a confirmed hit/leak, just a serious vulnerability at this point.
    • From Wapo: "It is not known whether the information has been accessed by anyone but Vickery." So not really a confirmed hit/leak, just a serious vulnerability at this point.

      All you have to do is believe them. Me - nah. Although I suppose whoever the Republicans are sending this to has what I just typed in 3..2..1..

  • Seems intentional. Why make the russians hack when you can just be incompetent.
  • Winning.

    There is absolutely no reason for regular people to safeguard anything about themselves, because the Government, and the Universities, and the hospitals, and the department stores simply give it away for free.

    And I suspect that the Republican party simply made a few of their best friends aware of this tiny little "mistake", and their new owner is very, very pleased.

To stay youthful, stay useful.

Working...