ShareThis Page

Exposed on the internet: U.S. voters' personal data, likely views on politics

| Monday, June 19, 2017, 6:09 p.m.

WASHINGTON — A Virginia data firm working for the Republican National Committee left voting records of 198 million Americans exposed on the internet and accessible to anyone, a California cybersecurity firm said Monday.

The data firm left exposed not only the vast national database but also precise and painstaking projections for most voters of their attitudes on a variety of issues, including Obamacare, lower taxes, immigration, fossil fuels and environmental consciousness.

The records were exposed to anyone who knew rudimentary search techniques, said UpGuard, a Mountain View, Calif., cybersecurity firm, but the records have since been secured.

The enormous national database included names, dates of birth, home addresses, phone numbers, party affiliation, racial demographics and voter registration status, UpGuard said in its internet post.

Following a series of hacks on political parties last fall, and attempts by Russia to access election rolls and machinery at the state and local level, the vulnerability of the U.S. electoral process has become a hot topic on Capitol Hill, including a House intelligence panel hearing to take place Wednesday on “Russian active measures during the 2016 election campaign.”

UpGuard's disclosure raises even deeper questions about the responsibilities of political parties and private firms in securing and protecting data that is parsed and dissected through increasingly high-powered analytic tools.

“The fact is that if you're a registered voter, your personal information was exposed here. I think that will be troubling to a lot of people,” said Dan O'Sullivan, a cyber resilience analyst at UpGuard.

The RNC-linked firm, Deep Root Analytics, of Arlington, Va., issued a statement saying the information “was accessed without our knowledge.” Controls were since put in place “to prevent further access. We take full responsibility for this situation.”

The company, which said the data were used for targeted television advertising, said network access settings were changed sometime after June 1, leaving the data vulnerable but providing only a small window of time for exposure. It added that it believes UpGuard's researcher, Chris Vickery, was the only person to have downloaded the data. It said it had hired a Washington cybersecurity firm, Stroz Friedberg, to review how the vulnerability happened.

“Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root Analytics said in the statement.

O'Sullivan said the information was kept by Amazon Web Services, a cloud-based storage provider, and was not password-protected.

“If we can find that, anyone can find that,” O'Sullivan said. “It didn't take anyone with special engineering.”

The United States has about 200 million registered voters, so the data exposed would encompass nearly the entire universe of U.S. voters.

Vickery, who was working as part of UpGuard's Cyber Risk Team, discovered a data repository on Amazon Web Services on June 12 and downloaded it, a total of 1.1 terabytes of data, equivalent to 500 hours of video, the company said.

Vickery, who is noted for finding sensitive information on the internet in the past, guessed a subdomain name — “dra-dw” — which stands for Deep Root Analytics-data warehouse, UpGuard said. Vickery notified federal authorities of the matter June 14, and it was quickly secured.

Voting records are public, but access is not always freely available and can be restricted in terms of use. Massive databases of aggregated national voter rolls have become more valuable in political campaigns with each passing election, allowing for micro-targeting of campaigns down to the individual.

Working with Deep Root Analytics in compiling the data were two other firms with strong ties to the Republican National Committee, Target Point Consulting Inc. and Data Trust, UpGuard said, and all were involved in President Trump's 2016 campaign.

In addition to the general database information were files on U.S. voters containing 9.5 billion projections on a series of 46 issues, UpGuard said.

“It's not just who you voted for. It's, you know, ‘Do you agree that companies shouldn't be allowed to ship jobs overseas?' Do you agree with President Trump's America First foreign policy? Do you agree we need to move away from fossil fuels?' ” O'Sullivan said.

O'Sullivan said employees looking in the database for their own records and projections found them “to be quite accurate” for themselves.

UpGuard does not plan to hang on to the databases.

“We don't want this on our hands. Essentially, we want to hang onto it only so long as the authorities require it, and then get rid of it, permanently delete the data,” O'Sullivan said.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.