GOP data firm leaks personal info on almost 200 million Americans

David Matthews

TS Maniac
Staff member

Deep Root Analytics, a conservative marketing and data firm, confirmed to Gizmodo that political data collected on nearly 200 million Americans was publicly exposed. To put that into context, the total population of the United States is over 300 million. The data contained a treasure trove of personally identifiable information (PII) on voters including birthdays, phone numbers, and home addresses. The sheer magnitude of this leak makes it the largest known leak of American voter records.

Per Chris Vickery, a cyber risk analyst for UpGuard that discovered the leak, Deep Root stored these documents on an Amazon server that was publicly available. The server was not password-protected and was completely accessible to anyone who knew the URL. The founder of Deep Root, Alex Lundry, commented to Gizmodo saying, “We take full responsibility for this situation. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.” Lundry later commented that they don’t believe their systems were hacked and that the data was not accessed by any malicious third parties while it was exposed.

In addition to the PII, other types of data such as analysis on voter sentiment on various issues was also found. Other data sources include The Data Trust, which is the Republican’s primary provider of voter information; the Americans for Prosperity, a conservative political group headed by the Koch brothers; and The Kantar Group, a market research company that provides data on political advertisements.

Most of this data is to help predict how certain voters will swing and if they support initiatives by Republican or Democratic candidates. Knowing what voter sentiment is on certain hot button issues allows ad campaigns to target certain states or demographics to persuade support for a candidate or issue.

Much of this data is standard fare (and legal) in the political sphere. Both the Republicans and Democrats gather enormous amounts of data (the Deep Root leak was at least a terabyte) on potential voters which help them direct their message. Much of the data, such as voter rolls, are widely available on the internet for public consumption. However, the inability of major political parties to the protect personally identifiable information of Americans is disconcerting to say the least.

Data Trust provides their data to political groups but doesn’t ensure that they are taking steps to properly secure the data that’s given. Because of the short-term nature of political campaigns, cybersecurity is often relegated to lower priority. In a time where state sponsored hacking is on the rise including possible attempts by Russia to influence the 2016 election, it’s a little concerning that political parties do not take cybersecurity more seriously.

Permalink to story.

 
Last edited by a moderator:

JudasSheep

TS Booster
"Because of the short-term nature of political campaigns, cyber-security is often relegated to lower priority."

Anyone who believes cyber-security is a low priority should not be running a business or non-profit. Legislation needs to be passed to fine the living s**t out of companies/organizations for breeches and leaks. It is so common place now, you see it near daily right after the latest terror attack.
 
  • Like
Reactions: Reehahs

Reehahs

TS Guru
What are they smoking to claim that bad actors were not accessing the data?

The article clearly mentions that only the URL is needed to access the server, the data may have been downloaded already.
 
  • Like
Reactions: Raoul Duke
D

davislane1

If techspot is going to start removing comments I expect a response. This is how you lose a good reputation and readers.
The mod's response is usually in the notifications. "Too savage," "Unsportsmanlike," and "Wrong forum," are typically the reasons they'll remove a post. But I'm only speaking from my experience.

What did you say?
"Because of the short-term nature of political campaigns, cyber-security is often relegated to lower priority."

Anyone who believes cyber-security is a low priority should not be running a business or non-profit. Legislation needs to be passed to fine the living s**t out of companies/organizations for breeches and leaks. It is so common place now, you see it near daily right after the latest terror attack.
This won't do anything more that increase costs for smaller businesses that actually take cyber security seriously. What you do (to fix the problem) is open them up to be sued by the people identified in the data and award huge sums of money to plaintiffs who can demonstrate negligence.
 

JudasSheep

TS Booster
This won't do anything more that increase costs for smaller businesses that actually take cyber security seriously. What you do (to fix the problem) is open them up to be sued by the people identified in the data and award huge sums of money to plaintiffs who can demonstrate negligence.
You have a point and I like your option better. I see a problem existing from it though, it would be hard for someone who is affected to prove the company neglected to protect their data. It would only even be known if the breech is made public and someone sees it in the news and checks into it. There is still a need for legislation, something along the lines that companies are mandated to inform their customers of breeches (think Yahoo and how it kept quiet about their 2 breeches). To prove the company didn't take measures to protect data (lets say they did try) would be hard to determine in a court of law seeing as most people are not tech savvy. It would have to take a security firm doing an audit to say the company didn't do enough if anything at all. In this case... "we made the password harder to guess and enabled account lockout" is that enough? Who would define what is considered "enough protection" to mitigate a possible lawsuit?
 

wiyosaya

TS Evangelist
<...>
"Because of the short-term nature of political campaigns, cyber-security is often relegated to lower priority."

Anyone who believes cyber-security is a low priority should not be running a business or non-profit. Legislation needs to be passed to fine the living s**t out of companies/organizations for breeches and leaks. It is so common place now, you see it near daily right after the latest terror attack.
This won't do anything more that increase costs for smaller businesses that actually take cyber security seriously. What you do (to fix the problem) is open them up to be sued by the people identified in the data and award huge sums of money to plaintiffs who can demonstrate negligence.
So smaller firms should not have to have cyber security because they cannot afford it, and then it is up to us, if we are harmed, to prove negligence? IMO, that places so much of the burden on people affected that it then becomes onerous for those who cannot afford court costs that your argument of it costing too much would certainly apply to those affected who have to prove both damages and negligence. Did you follow that?

Certainly some who experience damages would not be able to prove anything because they cannot afford court costs. So now we place blame on those affected by the lack of competence or whatever that some, and possibly, many businesses exhibit. Brilliant! Why did I not think of that?

I see many who think that regulations cost businesses of all sizes money, however, as I see it, those same regulations really only cost businesses money when they are violated. Unfortunately, businesses are not run by angels. Until businesses are run by angels, regulations on businesses will remain a necessity.
 
D

davislane1

You have a point and I like your option better. I see a problem existing from it though, it would be hard for someone who is affected to prove the company neglected to protect their data. It would only even be known if the breech is made public and someone sees it in the news and checks into it. There is still a need for legislation, something along the lines that companies are mandated to inform their customers of breeches (think Yahoo and how it kept quiet about their 2 breeches). To prove the company didn't take measures to protect data (lets say they did try) would be hard to determine in a court of law seeing as most people are not tech savvy. It would have to take a security firm doing an audit to say the company didn't do enough if anything at all. In this case... "we made the password harder to guess and enabled account lockout" is that enough? Who would define what is considered "enough protection" to mitigate a possible lawsuit?
This could potentially be rectified by having a security firm do an annual or biannual assessment of the firm's cyber security. Both firms would retain a copy of the assessment and recommendations. In the event of a breach, affected parties could have said documents examined to see if management took approipriate actions following the review.

Security firms may have mixed feelings about this because it puts their reputation on the line as well, but I think that would be a good thing for the people whose data is being stored.

Better yet, you can make it an opt-in instead of a hard regulation, once again putting all political risk on the data-holding firm in the event of a breach. Offering a tax incentive for cyber security-related expenditures would also encourage them to take these things more seriouly. This is something they've done with recycling for decades.
 

JudasSheep

TS Booster
Are you speaking to a more large business, that is the feeling I get when I read your post. I am speaking to ALL businesses. Any business that gathers data on their customers (email & home address, phone #, CC info, etc) are all things that need to be protected. From Amazon to the lowest mom and pop shop, cyber security needs to be taken seriously. The smaller businesses may not be able to afford a security assessment. Hell they may barely afford the crappy computer running their website, but that shouldn't exclude them from having protections in place. IMO cyber security needs to be taken into consideration as much as safety. There are so many protections for a customer where safety is concerned but no one really gives a damn about customer data like they do safety. The lax approach to cyber security needs to change as the needs grow along with the threats. This past election cycle proved our politicians are not doing enough to protect themselves let alone us.

If I could, I would start a security firm that did just this and lobby to have laws past so businesses of any size took security seriously. It would be super busy and make some pretty good money. Who knows, someone could be doing just that and we don't know.
 
D

davislane1

Are you speaking to a more large business, that is the feeling I get when I read your post. I am speaking to ALL businesses.
So am I. My approach is simply different. If you want real changes at the corporate level you have to make a business case for increased security, not an ethical or legal (regulatory) one. Smaller firms not wanting to opt-in to a program for cost reasons is better than not having those firms to begin with due to compliance costs.

The financial industry is an excellent example of this. Every time some big firm screws over its clients, armies of lawyers lobby for increased regulations. The end result is that (1) smaller firms stop growing/go out of business, (2) new firms show up less frequently, and (3) the people who caused the problems in the first place increase thier marketshare as a result of (1) and (2).
 
R

Raoul Duke

Alex Lundry says "We take full responsibility for this situation". Is he committing seppuku or resigning, losing any income, of course not, he has "updated the access settings and put protocols in place to prevent further access". Seems like he is doing what any person would do, somehow this seems less than 'taking full responsibility for this situation' considering the size of the leak and the information contained. He seems to be getting off scot free