Accidental Data Leak Exposes 198 Million Americans’ Personal Information
The 2016 presidential election was noteworthy not just because of its outcome, but also for the extent to which both parties used technical data collection behind-the-scenes to secure victories in swing states. Just last week, a cyber risk analyst stumbled onto a trove of that gathered data, collected on 198 million Americans, on an unprotected server.
The analyst, Chris Vickery, an employee of the cyber security startup UpGuard, came across the 1.1 terabytes of data on an Amazon cloud server, which wasn’t password protected and was accessible to anyone with the URL address. According to UpGuard, it took Vickery several days to download the extensive dataset, which may have been left open and exposed for 10 to 14 days.
UpGuard is calling this leak the “largest known data exposure of its kind,” and confirmed that the discovered content includes names, dates of birth, home addresses, phone numbers, and indications of individuals’ ethnicities and religions. Voters’ political views on hot-button campaign issues such as fossil fuels and taxes were also minutely recorded, likely for future micro-targeted campaigns.
Currently downloading what is, basically, the home address of every Trump supporter.
Understand the cloud before you upload to it. pic.twitter.com/nRPb98jwoP
— Chris Vickery (@VickerySec) June 13, 2017
The information was collected by GOP data firm Deep Root Analytics, one of three data firms hired by the RNC to help Donald Trump win the presidential election.
The firm acknowledged that the data was theirs on Friday and released a statement apologizing for the breach.
Deep Root Analytics CEO Brent McGoldrick said the company takes “full responsibility” for the leak. He added that the mistake was likely due to “a recent change in asset access settings since June 1.”
Although much of the data collected by Deep Root Analytics is available online through more innocuous sources, many have been quick to analyze the leak’s potential cyber security ramifications.
“That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” UpGuard said on their website.
“This is deeply troubling,” Privacy International’s policy officer Frederike Kaltheuner told BBC News. “This is not just sensitive, it’s intimate information, predictions about people’s behavior, opinions, and beliefs that people have never decided to disclose to anyone.”
While this leak could have been much more damaging and revealed more secretive information, experts say this should be a cautionary warning. If companies don’t make cyber security a priority, individuals may have to worry a lot more the next time a leak occurs.