US Hit By Largest-Ever Voter Data Breach

The US has been hit by its largest-ever breach of voter data after a contractor for the Republican party exposed personal information on more than 198 million citizens, or about 61 percent of the country’s population.

The data, in the form of about 1.1 terabytes of spreadsheets, was stored in an Amazon Web Services S3 storage repository that was accessible to anyone who knew its online address, according to security firm UpGuard.

Data trove

UpGuard risk analyst Chris Vickery discovered the trove on 12 June while scanning for publicly accessible data.

The spreadsheets contain data compiled by Deep Root Analytics, a firm contracted by the Republican National Committee (RNC) to analyse audiences for political campaign advertisements, with the information apparently being drawn from various sources.

This includes publicly accessible voter records, Republican Party canvassing activities and information scraped from social media websites including Reddit.

The records list personal information such as home addresses, birthdates and phone numbers, as well as predictions around where users stand on sensitive issues and their suspected religious affiliation and ethnicity.

The data was used during election campaigns, including last year’s presidential campaign, and as such covers nearly all of the US’ 200 million registered voters. It was last updated in January at the time of the presidential inauguration, according to UpGuard.

Deep Root took responsibility for the exposure, saying the data was left accessible to the public due to a configuration change that occurred on 1 June and which was corrected on 14 June.

“Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” said Deep Root founder Alex Lundry in a statement.

‘Troubling’ find

He said the firm didn’t believe any unauthorised parties had accessed the spreadsheets.

UpGuard said the scale of the breach was disturbing. “That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” wrote UpGuard’s Dan O’Sullivan in an advisory.

“The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”

O’Sullivan said the breach may be the largest known exposure of voter information in history, roughly double the size of a breach last year that included data on 93 million Mexican voters.

Large-scale data analytics has played an increasingly controversial role in recent elections, including last year’s presidential election in the US and the recent EU referendum and general elections in the UK, as well as being used more broadly to shape public opinion.

Manipulating public opinion

In March the Information Commissioner’s Office (ICO) said it would investigate the use of analytics and personal data to sway voters ahead of last year’s EU referendum.

The data-protection watchdog said it is also looking into the broader use of data analytics techniques to influence public opinion and how they capture and use citizens’ data.

The use of certain types of personal data for campaign purposes, such as Facebook “likes,” is permitted in the US, but in the UK and the EU it requires explicit consent by those involved.

A series of studies published on Monday by the University of Oxford found propaganda on social media was being used to manipulate public opinion around the world.

Do you know all about security in 2017? Try our quiz!