largest ever voter records leak (1 Viewer)

[fatness]

Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.

A huge trove of voter data, including personal information and voter profiling data on what's thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned.

It's believed to be the largest ever known exposure of voter information to date.

The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics.

UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication.

This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign.

The exposed server was also found to contain gigabytes of data from TargetPoint, a conservative market research firm focused on helping candidates better understand voters' policy preferences and political actions. Some of these files, says UpGuard, contain millions of entries that appear to rate voters on the post-election likelihood of supporting a certain policy, candidate, or belief on a scale of "very unlikely" to "very likely."

This isn't the first batch of voter data found by Vickery.

Vickery, who we profiled on ZDNet earlier this year, found 87 million Mexican voter records in an exposed database in 2016.

He was also responsible for discovering several US voter databases online totaling 18 million voters, and the state of Louisiana's entire database of 2.9 million voters.

Deep Root's exposure also appears to be larger than the 191 million voter records exposed by i360, a data company, in late 2015, and another massive leak of 154 million voter records a year later.

 

[Juxtatarot]

I, for one, would like to see what they've got on me.  

 

[fatness]

The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.

The data was available on a publicly accessible Amazon cloud server.  Anyone could access the data as long as they had a link to it.

The huge cache of data was discovered last week by Chris Vickery, a cyber-risk analyst with security firm UpGuard. The information seems to have been collected from a wide range of sources - from posts on controversial banned threads on the social network Reddit, to committees that raised funds for the Republican Party.

The information was stored in spreadsheets uploaded to a server owned by Deep Root Analytics. It had last been updated in January when President Donald Trump was inaugurated and had been online for an unknown period of time.

Apart from personal details, the data also contained citizens' suspected religious affiliations, ethnicities and political biases, such as where they stood on controversial topics like gun control, the right to abortion and stem cell research.

The file names and directories indicated that the data was meant to be used by influential Republican political organisations.

http://www.bbc.com/news/technology-40331215

 

[The Commish]

Not sure why, but this sort of stuff interests me.  I'm wondering if they have anything on me and where they get their data from.  From a privacy perspective I'm interested to know how they get this data.

 

 

[SacramentoBob]

Not sure why, but this sort of stuff interests me.  I'm wondering if they have anything on me and where they get their data from.  From a privacy perspective I'm interested to know how they get this data.

 

Reddit, apparently.  Which makes this even stranger.

 

[The Commish]

Not sure why, but this sort of stuff interests me.  I'm wondering if they have anything on me and where they get their data from.  From a privacy perspective I'm interested to know how they get this data.

 

Reddit, apparently.  Which makes this even stranger.

Then I'm not in their database.

 

[fatness]

A Republican contractor’s database of nearly every voter was left exposed on the Internet for 12 days, researcher says

Detailed information on nearly every U.S. voter — including in some cases their ethnicity, religion and views on political issues — was left exposed online for two weeks by a political consultancy which works for the Republican National Committee and other GOP clients.

The data offered a strikingly complete picture of the voting histories and political leanings of the American electorate laid out on an easily downloadable format, said cyber-security researcher Chris Vickery. He discovered the unprotected files of 198 million voters in a routine scan of the Internet last week and alerted law enforcement officials.

The precision and volume of the information, including dozens of data points on individual Republicans, Democrats and independent voters, highlights the rising sophistication of the data-mining efforts that have become central to modern political campaigns.

In some cases, that included which voters are suspicious of Wall Street and pharmaceutical firms, or who reluctantly voted for Hillary Clinton or supports the Affordable Care Act, Vickery said.

“They’re using this information to create political dossiers on individuals that are now available for anyone,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These political data firms might as well be working for the Russians.”

The company also kept information on Americans’ voting histories and their reported enthusiasm for Trump, Vickery said. Some of the files assigned voters a score based on their views of 46 different issues ranging from immigration to trade. Nearly 170 gigabytes of the exposed data consisted of social media posts scraped from Reddit, he added.  Among the data are unique RNC identifiers for each voter, Vickery said. The files also potentially offered insight into party strategy for tracking and organizing voters.

The files do not appear to include Social Security or credit card information, as has leaked in some major commercial data breaches. Nor is it clear if anyone other than Vickery gained unauthorized access to the files during the two weeks they were left without a password or other security before the problem was discovered on June 12.

But malicious hackers routinely conduct such scans of the Internet looking for unprotected files they can exploit. And to those who may have found them, the files painted a detailed portrait of virtually all of America’s roughly 200 million voters — revealing their names, addresses, birth dates and phone numbers.

“I could give you the home address of every person the RNC believes voted for Trump.”

That would be interesting. Might get the story more attention.

 

[Long Ball Larry]

This is an interesting story, but I don't know that it should be so partisan.  As noted in the first article, the Obama campaign was extremely precise with data usage.

 

[fatness]

This is an interesting story, but I don't know that it should be so partisan.  As noted in the first article, the Obama campaign was extremely precise with data usage.

I'm not sure how you report a story about a Republican data leak without mentioning "Republican"?

What gets me about the story is that, if it came out the government had concise files like this on people (and collectively the government does know much more than this but probably spread all over various agencies) there would be an outcry. But a group trying to become the government has it, and it's "yawn".

 

[IvanKaramazov]

What gets me about the story is that, if it came out the government had concise files like this on people (and collectively the government does know much more than this but probably spread all over various agencies) there would be an outcry. But a group trying to become the government has it, and it's "yawn".

Political parties have been keeping these kinds of records for decades.  If you've ever responded to a telephone poll sponsored by a party, for example, they will have recorded your answers in a spreadsheet somewhere and will use that information in marketing their product to you.  For example, your local Democratic party won't bother sending you candidate flyers or fundraising letters if you told them that you strongly supported Romney back in 2012.

I find the Reddit angle interesting and I would like to know more about how they manage to pull that off.  But that's just curiosity, not that I have a problem with it.

 

[fatness]

I just want to know where I can download it and start looking up people

Well if it had come from a different political party it would be available on wikileaks.

 

[Bottomfeeder Sports]

From a privacy perspective

Privacy?   That ship sailed a long time ago.

 

[Bottomfeeder Sports]

Then I'm not in their database.

If it is truly 198 million distinct voters then  odds are it would pretty much have to include you and me.  There are only about 232 million eligible voters and I assume that the number that have never voted is a decent chunk out of the 34 million difference.

Of course I'd guess that the 198 million number is not really distinct individuals.

 

[culdeus]

How would they have an average texas voter?  We don't track to an ID. 

 

[Sheriff Bart]

I vote for gambling, booze, drugs and two chicks at the same time. 

 

[fatness]

But the exposed database combined individuals' personal information and political inclinations — including proprietary information gathered via predictive modeling tools — to create a detailed profile of nearly 200 million Americans that would be a "gold mine" for anyone looking to target and manipulate US voters, said  Archie Agarwal, founder of the cybersecurity firm ThreatModeler.

"This is the mother lode of all leaks," Agarwal said Monday. "Governments are made or broken on this. I don't even have the words to describe it."

"If the Russians have this data, then they have targeted information that could allow them to try to swing the vote," Agarwal said. 

"There is nothing more valuable to some people out there than this kind of information," Upguard's Vickery added. "This is what you can use to steal an election at the state and local level. It tells you who you need to advertise to to swing votes."

J oseph Lorenzo Hall, the chief technologist at the Center for Democracy  and Technology, said the voter information would be worth "a s---load of money" to anyone on the black market — particularly a hacker working on behalf of a foreign adversary — who happened upon it. 

"Certainly you can imagine that it could have been a covert way of communicating data in a way that looked like an error," Hall said.  

"In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data," Bloomberg said. "The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database." 

http://www.businessinsider.com/deep-root-leaks-voter-data-russia-2017-6

 

[fatness]

DeepRoot is the company. Vickery is the guy who found all the exposed information.

Deep Root said the information had been online for 12 days and that there was no indication anyone — besides Vickery, who first discovered the database — gained access to it. But Vickery said he thinks the database "was probably left up for a lot longer" than 12 days, and noted that Deep Root said initially that someone had gained "unauthorized access" to the information while it was live.

"Since then they've changed their tune," Vickery said. 

Deep Root said it didn't believe its systems had been hacked "based on the information we have gathered thus far."

Agarwal, however, said that assessment could change as the company investigates the breach further. "They are saying that based on whatever they think today, at this moment," Agarwal said. But the scope of data breaches is often not known until weeks, if not months, after they occurred. 

http://www.businessinsider.com/deep-root-leaks-voter-data-russia-2017-6

 

[fatness]

It’s the kind of sensitive information that, if a bank or a big-box retailer or almost any other corporation had failed to protect it, would have triggered major trouble with regulators. But there it sat on the Internet, without so much as a password to guard it, for 12 days.

http://www.latimes.com/politics/la-na-pol-gop-data-breach-20170619-story.html