Marketing firm leaks 200m US citizens' personal data

The exposed database includes personal information, as well as political preferences and religious views

The personal information, religious beliefs and political views of close to 200 million US citizens have been accidentally revealed by marketers working on behalf of the Republican National Committee.

The mammoth 1.1TB dataset, which covers more than 60% of the total US population, was owned by Deep Root Analytics, and included not just names, addresses, telephone numbers and dates of birth, but also information about potential political viewpoints, religious leanings and ethnicity.

Advertisement - Article continues below

The database was discovered by UpGuard security researcher Chris Vickery on a public-facing AWS server, with no security, encryption or authentication safeguards in place. Vickery made the discovery on 12 June, but according to a statement given to Gizmodo by Deep Root Analytics' founder Alex Lundry, the information had only been exposed since 1 June following an update to its security settings.

"We take full responsibility for this situation," he said. "Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access".

"The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide," wrote UpGuard in a blog post. "The same factors that have resulted in thousands of previous data breaches - forgotten databases, third-party vendor risks, inappropriate permissions - combined with the RNC campaign operation to create a nearly unprecedented data breach."

Advertisement - Article continues below
Advertisement - Article continues below

Security industry experts have been queuing up to lambast Deep Root for letting such a huge dataset sit unprotected, with many accusing the company of failing to follow basic security protocols.

"The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality," said Forcepoint CEO Matt Moynahan; "more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees."

DQM GRC technical director Peter Galdies also cautioned that if this had affected EU voters, the consequences for Deep Root could have been dire under incoming stricter data protection rules for EU citizens. He said: "If this data had belonged to European or UK residents then this would have qualified as a hugely serious breach of the new GDPR law... potentially resulting in very serious consequences to all the organisations found responsible, including the data processors."

Advertisement - Article continues below

Tim Erlin, Tripwire vice president, noted that this is a reminder of how fundamental data security should be. "Any organisation that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call," he said. "Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented."

However, in addition to the obvious security concerns raised by the incident, for many experts it has also brought up questions about the level of data-gathering being performed on ordinary citizens without their knowledge.

The data was compiled by three Republican data analysis firms - Deep Root, TargetPoint Consulting and Data Trust. These consultants were hired by the Republican Party with the apparent goal of building a comprehensive profile of as many voters as possible, which would then be used to micro-target them with political messaging and propaganda specifically tailored to appeal to their individual beliefs.

Advertisement - Article continues below

This isn't the first time similar mass-monitoring methods have been deployed in the service of a political agenda; a comprehensive investigation by The Guardian revealed that data-mining firm Cambridge Analytica was heavily linked both to various pro-Brexit campaign groups and to several billionaire backers - including UKIP donor Arron Banks and Trump's chief strategist Steve Bannon. The news prompted the Information Commissioner's Office to launch an ongoing investigation into the use of personal data in political campaigns.

"The average citizen likely doesn't appreciate the level at which this kind of data drives the political process," said Erlin. "This is a treasure trove of personal information that was sitting unprotected on the internet.

Picture: Bigstock

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020