Confidential and sensitive details of over 198 million US citizens were leaked online by an analytics firm hired by the Republican National Committee.
Personal and sensitive details of 198 million US citizens were stored in an unprotected Amazon cloud server which anyone could access by using a web address.
Deep Root Analytics, a marketing and analytics firm, was entrusted by the Republican party to gather data on voters from across the country for a fee of $1 million. Once it had compiled data on 198 million US voters, the firm decided to store all of it on an unprotected Amazon cloud server.
Access to the data wasn't protected by a password and anyone in possession of its web address could access it and even redistribute it. Personal details of voters included their names, home addresses, dates of birth, phone numbers, religious affiliations, political views, ethnicities and their respective views on gun control, stem cell research and the right to abortion.
The leak was first observed by Chris Vickery, a researcher at security firm UpGuard. Vickery noted that Deep Root Analytics obtained data on nearly 200 million US citizens from a large number of Reddit posts as well as from other firms like Data Trust, The Kantar Group, TargetPoint Consulting, Inc., and American CrossRoads.
Following the revelation, Deep Root Analytics claimed full responsibility for the leak but also stressed that the data was not breached by any third party.
"We take full responsibility for this situation. Based on the information we have gathered thus far, we do not believe that our systems have been hacked. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access," said Alex Lundry, founder of Deep Root Analytics to Gizmodo.
According to security firm UpGuard, data belonging to nearly all of America’s 200 million registered voters were obtained by the Republican National Committee by using data analytics firms like Deep Root Analytics, TargetPoint, and Data Trust and also by influencing potential voters to predict their behaviour.
"The RNC data repository would ultimately acquire roughly 9.5 billion data points regarding three out of every five Americans, scoring 198 million potential US voters on their likely political preferences using advanced algorithmic modeling across forty-eight different categories," wrote UpGuard journalist Dan O'Sullivan in a blog post.
"That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling. The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations," he added.
This isn't the first time that sensitive details of citizens have been stored in unprotected cloud servers. Earlier this month, US defence contractor Booz Allen Hamilton stored classified and sensitive defence data on Amazon's unprotected S3 cloud storage. The stored data was publicly accessible and was connected to a US department responsible for battlefield satellite and drone surveillance imagery.
The unprotected data contained information on Booz Allen Hamilton engineer's remote login (SSH) keys as well as login credentials for another system owned by the contractor. If discovered by malafide hackers, the login credentials could have been used to unearth more sensitive and classified data connected to US defence departments.
"Despite the breadth of this breach, it will doubtlessly be topped in the future—to a likely far more damaging effect—if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems," O'Sullivan added.
“How the leak occurred demonstrates that the threat to data doesn't always come from cybercriminals - it can just as easily happen if someone doesn't understand the vulnerabilities of different platforms. There was no malice here, just a lack of education and it highlights just how profound the unintentional insider threat can be," said Dr. Jamie Graves, CEO at ZoneFox.
"All companies are in the business of data. As such they've got to ensure they have visibility into their most prized asset and know the security limitations of their chosen platform in order to be in control of their information. After all, if they aren't in the driving seat how can they protect it?” he added.