Personal information pertaining to as many as 198 million American registered voters was held in a publicly accessible online database, a security researcher revealed today (June 19).
The data was held in an online repository operated by Deep Root Analytics (DRA), a voter-data-analytics firm associated with the Republican National Committee. It included full names, street addresses, dates of birth, telephone numbers, political affiliation and ethnicities, but did not include more sensitive data such as email addresses, Social Security numbers or financial information.
What You Need to Know
It's important to note that there's not much risk to the affected individuals, as the database has been secured and most of the information was already publicly available.
Because there's no evidence that the data was stolen or posted online, it doesn't seem that the affected individuals (almost everyone who was registered to vote in the 2008 and 2012 U.S. presidential elections) would be at greater risk of identity theft. Even if the database were to be made public — as did happen in a similar case in December 2015 — the increased risk would be pretty small.
The database was discovered by Chris Vickery, a security researcher who specializes in finding unsecured sensitive data online. (Vickery found the 2015 database as well.) On June 12, Vickery was poking around the Amazon Web Services (AWS) repository belonging to DRA and discovered that a subdomain called "dra-dw" was accessible without a password.
"DW" stood for "data warehouse," according to a blog posting by UpGuard, the firm for which Vickery currently works. It contained 24 terabytes of data that Vickery couldn't access, and 1 terabyte of data that he could access. That last bit included the voter records and a cache of politically oriented Reddit posts.
Vickery notified DRA on June 14, but not until after he had downloaded everything that he could access. (The unspoken question is why he didn't notify DRA when he initially found the data.) The company closed off access almost immediately.
In a statement to The Intercept, a representative for DRA said that the database was left exposed following "a change that was made in the files’ asset access protocols".
"We believe the change that was made happened post June 1, 2017, which was when we last evaluated and updated our security settings," the statement said. "We do not believe that our systems have been hacked. To date, the only entity that we are aware of that had access to the data was Chris Vickery."