Marketing firm leaks 200m US citizens' personal data

The exposed database includes personal information, as well as political preferences and religious views

The personal information, religious beliefs and political views of close to 200 million US citizens have been accidentally revealed by marketers working on behalf of the Republican National Committee.

The mammoth 1.1TB dataset, which covers more than 60% of the total US population, was owned by Deep Root Analytics, and included not just names, addresses, telephone numbers and dates of birth, but also information about potential political viewpoints, religious leanings and ethnicity.

Advertisement - Article continues below

The database was discovered by UpGuard security researcher Chris Vickery on a public-facing AWS server, with no security, encryption or authentication safeguards in place. Vickery made the discovery on 12 June, but according to a statement given to Gizmodo by Deep Root Analytics' founder Alex Lundry, the information had only been exposed since 1 June following an update to its security settings.

"We take full responsibility for this situation," he said. "Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access".

"The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide," wrote UpGuard in a blog post. "The same factors that have resulted in thousands of previous data breaches - forgotten databases, third-party vendor risks, inappropriate permissions - combined with the RNC campaign operation to create a nearly unprecedented data breach."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Security industry experts have been queuing up to lambast Deep Root for letting such a huge dataset sit unprotected, with many accusing the company of failing to follow basic security protocols.

"The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality," said Forcepoint CEO Matt Moynahan; "more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees."

DQM GRC technical director Peter Galdies also cautioned that if this had affected EU voters, the consequences for Deep Root could have been dire under incoming stricter data protection rules for EU citizens. He said: "If this data had belonged to European or UK residents then this would have qualified as a hugely serious breach of the new GDPR law... potentially resulting in very serious consequences to all the organisations found responsible, including the data processors."

Advertisement - Article continues below

Tim Erlin, Tripwire vice president, noted that this is a reminder of how fundamental data security should be. "Any organisation that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call," he said. "Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented."

However, in addition to the obvious security concerns raised by the incident, for many experts it has also brought up questions about the level of data-gathering being performed on ordinary citizens without their knowledge.

The data was compiled by three Republican data analysis firms - Deep Root, TargetPoint Consulting and Data Trust. These consultants were hired by the Republican Party with the apparent goal of building a comprehensive profile of as many voters as possible, which would then be used to micro-target them with political messaging and propaganda specifically tailored to appeal to their individual beliefs.

Advertisement - Article continues below

This isn't the first time similar mass-monitoring methods have been deployed in the service of a political agenda; a comprehensive investigation by The Guardian revealed that data-mining firm Cambridge Analytica was heavily linked both to various pro-Brexit campaign groups and to several billionaire backers - including UKIP donor Arron Banks and Trump's chief strategist Steve Bannon. The news prompted the Information Commissioner's Office to launch an ongoing investigation into the use of personal data in political campaigns.

"The average citizen likely doesn't appreciate the level at which this kind of data drives the political process," said Erlin. "This is a treasure trove of personal information that was sitting unprotected on the internet.

Picture: Bigstock

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020