RNC contractor caught storing voter data on wide-open cloud server
Researchers say a massive, unsecured Amazon Web Services database containing information on nearly 200 million people was the work of a consulting company hired by the US Republican National Committee.
Security firm UpGuard said the records of 198 million voters, including dates of birth, addresses and phone numbers, were stored in a cloud database left out in the open by Deep Root Analytics, a research group that had been working for the Republicans to analyze data ahead of the 2016 presidential election.
The records, according to UpGuard, had been stored in an AWS S3 storage instance that had been misconfigured to leave public access open, meaning anyone who knew of the server’s AWS subdomain could pull up the 1.1TB of voter data.
UpGuard informed Deep Root of the exposed files last week and as of June 14 the storage instance was secured as private. Federal authorities have also been notified, says UpGuard.
“Spreadsheets containing this accumulated data – last updated around the January 2017 presidential inauguration – constitute a treasure trove of political data and modeled preferences used by the Trump campaign,” UpGuard writes.
“This data was also exposed in the misconfigured database and had been for an unknown period of time.”
According to UpGuard, the database had compiled detailed profiles on voters that the RNC used to help craft its shock win in the 2016 presidential race. When combined with an additional 24 terabytes of data that had been secured, Republican groups could see what the best strategies would be for appealing to crucial pockets of voters.
“Starting with the potential voter’s first and last names – limiting even the barest possibility of the data sets masking the identities of those described – the files go on to list a great deal more data, including the voter’s date of birth, home and mailing addresses, phone number, registered party, self-reported racial demographic, voter registration status, and even whether they are on the federal ‘Do Not Call’ list,” UpGuard writes.
“Also included as data fields are the ‘modeled ethnicity’ and ‘modeled religion’ of the potential voter – particularly sensitive personal details that have historically been a source of controversy for data collection.”
The exposure is an embarrassing misstep for the RNC at a time when IT and data security for both major political parties in the US are under a microscope. Following the massive DNC hack last summer and worries of vote hacking by outside groups in upcoming elections, the exposed data will bring yet another painful lesson for political parties on the risks that come with using detailed data analysis. ®
via The Register – Security http://ift.tt/2jCNZ5O
June 19, 2017 at 03:03PM