Deep Root Analytics, a conservative marketing and data firm, confirmed to Gizmodo that political data collected on nearly 200 million Americans was publicly exposed. To put that into context, the total population of the United States is over 300 million. The data contained a treasure trove of personally identifiable information (PII) on voters including birthdays, phone numbers, and home addresses. The sheer magnitude of this leak makes it the largest known leak of American voter records.
Per Chris Vickery, a cyber risk analyst for UpGuard that discovered the leak, Deep Root stored these documents on an Amazon server that was publicly available. The server was not password-protected and was completely accessible to anyone who knew the URL. The founder of Deep Root, Alex Lundry, commented to Gizmodo saying, “We take full responsibility for this situation. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.” Lundry later commented that they don’t believe their systems were hacked and that the data was not accessed by any malicious third parties while it was exposed.
In addition to the PII, other types of data such as analysis on voter sentiment on various issues was also found. Other data sources include The Data Trust, which is the Republican’s primary provider of voter information; the Americans for Prosperity, a conservative political group headed by the Koch brothers; and The Kantar Group, a market research company that provides data on political advertisements.
Most of this data is to help predict how certain voters will swing and if they support initiatives by Republican or Democratic candidates. Knowing what voter sentiment is on certain hot button issues allows ad campaigns to target certain states or demographics to persuade support for a candidate or issue.
Much of this data is standard fare (and legal) in the political sphere. Both the Republicans and Democrats gather enormous amounts of data (the Deep Root leak was at least a terabyte) on potential voters which help them direct their message. Much of the data, such as voter rolls, are widely available on the internet for public consumption. However, the inability of major political parties to the protect personally identifiable information of Americans is disconcerting to say the least.
Data Trust provides their data to political groups but doesn’t ensure that they are taking steps to properly secure the data that’s given. Because of the short-term nature of political campaigns, cybersecurity is often relegated to lower priority. In a time where state sponsored hacking is on the rise including possible attempts by Russia to influence the 2016 election, it’s a little concerning that political parties do not take cybersecurity more seriously.