The RNC Exposed Personal Data Of Almost 200M American Voters In The Internet: Report
The Republican National Committee (RNC) left several databases containing information on nearly 200 million American voters exposed to the internet without security, allowing anyone who knew where to look to download it without a password, several news outlets reported Monday.
The databases were part of 25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in.
As reported by The Hill:
The account was discovered by researcher Chris Vickery of the security firm UpGuard. Vickery is a prominent researcher in uncovering improperly secured files online. But, he said, this exposure is of a magnitude he has never seen before.
“In terms of the disc space used, this is the biggest exposure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vickery.
The accessible files, according to UpGuard, contain a main 198-million-entry database with names, addresses of voters and an “RNC ID” that can be used with other exposed files to research individuals.
That file appears in a folder titled “target_point,” an apparent reference to another firm contracted by the RNC to crunch data. UpGuard speculates that the folder may imply that the firm TargetPoint compiled and shared the data with Deep Root. Another folder appears to reference Data Trust, another contracted firm.
What is uncommon in this case is the size and scope of this exposure. If its records are accurate, the Deep Root Analytics exposure contains information on more than half of the American population. It dwarfs the second-largest exposure of voter information — 93.4 million records of Mexican citizens — by more than 100 million voters and tops the largest data breach of voter information — 55 million records of Philippine voters — by more than 140 million.
“We take full responsibility for this situation,” said the contractor, Deep Root Analytics, in a statement.
The files were secured shortly after Vickery made the discovery during the night of June 12 and notified relevant regulatory bodies, according to the report.