198 Million Americans Hit By 'Largest Ever' Voter Records Leak

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server, reports say. From a ZDNet article: It's believed to be the largest ever known exposure of voter information to date. The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication. This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign. Further reading: Republican Data-Mining Firm Exposed Personal Information for Virtually Every American Voter - The Intercept; The RNC Files: Inside the Largest US Voter Data Leak - Upguard; Data on 198M voters exposed by GOP contractor Data On 198M Voters Exposed By GOP Contractor - The Hill.

Voter records are public

[GrEp]

Commonly referred to as the "VAN", State voter participation records, even for party primaries/caucus, are a matter of public record. Who you voted for may be confidential, but that you showed up and voted isn't.

Larger political organizations go the extra mile to annotate these records and aggregate them. They even have door to door pollsters that go around to those who have voted recently and target them with polling questions.

IMHO it is a good thing this is open to the wider public, and not just in the hands of a few with the deep pockets to aggregate it.

Re:Misleading title

[evolutionary]

"Leak" (not "leaked" as is deliberately published) was use to indicate something like a leaky faucet. There is a relatively formal term in the IT security field called "data leakage" which means sensitive data creeping outside of company/owner boundries without the intent of the owner Whether it be through casual email, carelessly posting files to a public server for at home convenience, or sending out files into a public space without encryption/password. The new buzzword for this rapid growing field of data loss (or leakage) prevention is DLP. (Data Loss Prevention)

What the article is saying is the firm was as careless with their collected data as many people are when posting on facebook. It didn't even have to be "hacked" it was wide open. BTW, the claim that to the best of their knowledge only one person has accessed that data is a pretty lame response. The fact that the data was publicaly exposed for anyone to see at all shows amateur level of negligence.

People with this mass amount of data should have better protocols for data exchange of authorized parties (obviously).

There could well be legal repercussions from this because who you vote for is the most sacred form of privacy in a democracy. This compromises people's ability to vote without possible retaliation from friends, colleagues, employers or even governments. This is a seriously BIG deal. When your voting preferences cannot be kept private, you can't vote freely. I personally believe everyone should vote, but if you voting records are up for grabs in cyberspace, anyone could be pressure you. Hopefully people will stop foolishly giving their voting data or political preferences to marketing firms directly or indirectly. There is being friendly, then there is being careless.

Re: "Leak"

[ShanghaiBill]

According to TFA, the "leaked" data contained much more than just public data. It contained info on religion, political persuasions, issues that you care about, etc. TFA doesn't say where that info came from, but most likely from donation records, social media scraping, and on-line tracking.

As far as we know, the data was temporarily exposed, but wasn't actually leaked, and is not publicly available. That is too bad. I would be really curious to see what they think of me.

This leak shines a spotlight on...

[albacrankie]

In my case, the spotlight is on managers who say, "put everything on S3".

Why does everybody ignore all the warnings?

[rbrander]

After Sony, we quickly heard their security was worthless - every VP who wanted to watch some video somewhere could get another hole punched in the firewall.
Then the Democrats were "hacked" by.... asking for the top guy's password, which was promptly given!
Warning after warning that we aren't taking this seriously. I'd love to make some stupid partisan remark about this ("these are the people who mocked Clinton for a potential data exposure that never happened?!!?") but the fact is that everybody has done incredibly stupid crap like this, are still doing it, and will continue.

Until we get some kind of worse event, I guess. What will it take!?!

Re:What to do about breaches

[Obfuscant]

It has https in the url, so of course it is a safe site. Don't you know nothin bout the interwebs?

Re:Multi Million$$

[squiggleslash]

Please do tell, oh victimized conservative, how calling the Republican effort "multi-million" and not, this time, calling the Democratic equivalent the same label, although it has been done many, many, times before, is somehow harmful to Republicans.

Is someone seriously not going to vote Republican because they heard they spent millions of dollars on a part of their campaign? Is someone seriously going to think the Democrats don't?

Re:I fail to see the importance of the data

[dgatwood]

It's information about who you'd likely voted for.

Which is, frankly, much worse than leaking Social Security numbers or health data. If they had leaked the SSN of everyone in America, it would force some real reform of the credit agencies, preventing them from treating an SSN as proof of identity, but overall, the public wouldn't be harmed. If anything, they would be helped by exposing the notion of "identity theft" as the credit-agency contrivance (fraud) that it is.

And the worst-case scenario for leaking health data is embarrassment if somebody got an STD, but that would quickly become uninteresting to people because it would also quickly demonstrate how many people do. You might occasionally have hiring bias by people who want to avoid their health insurance costs going up, but I would not expect that to be common (because it is quite illegal).

But exposing everyone's likely voting behavior is a grievous violation of personal privacy. Ask a Republican in a majority-Democrat region or a Democrat in a majority-Republican region, and ask them if they think that the people around them would be less likely to hire them if they knew their political affiliation. Ask them if it will affect their ability to socialize. And so on. Thus, voting data can be easily abused to pressure people into conformity.

Worse, that small-scale abuse has the potential to shift the balance of elections, which means that leaking this data potentially has a national impact as well as an individual impact. Based on that, I would argue that party affiliation and likelihood of voting for a given party is quite possibly the most private information that anyone can have about you, and that making that information available publicly is one of the worst breaches of the public's trust that a political organization can commit.