On Monday, a cyber risk researcher reported that an RNC contractor had exposed a database including nearly every single registered U.S. voter, including names, dates of birth, home and mailing addresses, registered party, and much more. Should Americans be worried that their data has been accessed and will be used against them?
There is reason to think the answer is “no.” Unlike in other high-profile cyber security cases, there has been no WikiLeaks “data dump,” nor even a threat that information will be released at a certain time, like in the case of cyber pirates stealing Pirates of the Caribbean: Dead Men Tell No Tales. Indeed, a conservative IT professional told PJ Media, “I doubt anyone stole the data.”
Nevertheless, the breach is still significant. UpGuard, the first outlet to report the story, characterized the breach as “perhaps the largest known exposure of voter information in history.”
UpGuard cyber risk analyst Chris Vickery discovered the breach last Monday, June 12. Vickery came across the data on an Amazon Web Services S3 bucket that lacked any protection against access. “Anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain,” UpGuard reported.
This “data warehouse” was owned and operated by Deep Root Analytics (DRA), a firm which has contracted with the Republican National Committee (RNC). The warehouse was secured against public access on June 14, shortly after Vickery notified federal authorities.
For the period between June 1 and June 14, 1.1 terabytes of data in the warehouse, an amount roughly equivalent to 500 hours of video, was fully downloadable. Among these accessible files were directories named for influential Republican organizations.
One set of files, “data_trust,” included two massive stores of personal information for the 2008 and 2012 presidential elections respectively, representing between them up to 198 million potential voters. Each state, and the District of Columbia, had a file which listed every voter in the database.
The files included information which is public record and can be requested from any state’s board of elections, but also proprietary data owned by DRA. It did not include any data from the RNC specifically.
“While Deep Root has confirmed the information accessed did not contain any proprietary information, the RNC takes the security of voter information very seriously and we require vendors to do the same,” the RNC said in a statement to PJ Media. “Deep Root Analytics has taken full responsibility for this situation and the RNC has halted any further work with the company pending the conclusion of their investigation into security procedures.”
Nevertheless, many outlets reported that RNC data was breached. The Washington Post had to issue a correction, noting that “an earlier version of [its] story incorrectly stated that the database that was vulnerable to theft belonged to the Republican National Committee.”
Why the confusion? Each file in the database listed potential voters by their “RNC ID,” a 32-character alphanumeric value. While these RNC IDs did mark each potential voter, the identification does not mean the data is owned by the RNC. DRA only used the RNC IDs internally in order to integrate their data with the RNC should the Republican organization hire them for work.
The RNC did indeed hire DRA during the 2016 election, and this very data was likely used to help Trump win the election.
Even so, the information was eerily accurate. UpGuard reporter Dan O’Sullivan wrote, “This reporter was able, after determining his RNC ID, to view his modeled policy preferences and political actions as calculated by TargetPoint,” an older Republican-linked data firm at which the president of DRA got his start. “It is a testament to both their talents, and to the real danger of this exposure, that the results were astoundingly accurate.”
While the database was unprotected, it is unlikely that anyone besides Vickery accessed the files, because a URL was necessary to do so.
In a statement on the breach, DRA announced it had hired cyber security firm Stroz Friedberg to conduct an investigation. The firm explained that it “builds voter models to help enhance advertiser understanding of TV viewership.” It insisted that “the data accessed was not build for or used by any specific client. It is our proprietary analysis to help inform local television ad buying.”
The accessed data was “proprietary information as well as voter data that is publicly available and readily provided by state government offices,” DRA continued.
“We take full responsibility for this situation,” the firm declared. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”
Working with Stroz Friedberg, DRA noted that “we have learned that access was gained through a recent change in access settings since June 1.”
Importantly, the firm added that “based on the information we have gathered thus far, we do not believe that our systems have been hacked” (emphasis added).
As UpGuard’s O’Sullivan reported, however, the exposure does raise “significant questions about the privacy and security Americans can expect for their most privileged information.”
The U.S. intelligence community has warned that Russia attempted to hack into the American electoral process, and the WikiLeaks publication of emails from key Democratic National Committee (DNC) staffers and Hillary Clinton staff made a huge splash in last year’s election.
During the election, the Russians also attempted to hack into the RNC database, but it was secured. Despite some of Monday’s incorrect headlines, the RNC’s reputation for secure data remains intact.
Vickery has exposed other data breaches, notably a breach of 60,000 Department of Defense (DOD) files owned by Booz Allen Hamilton last month. While the UpGuard report seems intended as a sales pitch for cybersecurity services, Vickery has done good work in determining data breaches, and it is unlikely he will publish any of the information, since he reported it to the federal authorities.
This specific data breach may not pose a problem to U.S. voters, but it is likely that weak protections on sensitive information might do so in the future. It is vitally important for companies — including political contractors — to safeguard their data.