Tuesday, October 17, 2017

How a ‘publicly accessible cloud server’ exposed 198 million US voters’ data used by president Donald Trump team

Data repository on an AWS S3 bucket containing names, ages, addresses and phone numbers was accessible to anyone with an internet connection for 12 days.

In what is believed to be the largest US voter data leak in history, the details of as many as 198 million voters have been exposed by an analytics company hired by the Republican National Committee (RNC) for the presidential campaign of 2016.

Whilst the public debate focused on Donald Trump’s relations with Russia and Putin, UpGuard has found that Republican data firm Deep Root Analytics (DRA) compromised as much as 1.1 terabytes of personal information which has been compiled by DRA, Target Point Consulting and Data Trust.

The leaked data, which was available for 12 days on the internet between June 1 and June 12, 2017, included voters’ names, dates of birth, home addresses, phone numbers, and voter registration details.

In addition, according to the data, the information included data described as “modelled” voter ethnicities and religions, and voter’s views on political issues.

DRA was hired through a $100m data budget from the RNC to help gather and process voter data in order to drive the campaign based on analytics.

For comparison, according to Tom Bonier, CEO of TergetSmart, who spoke to Politico in October 2016, just over 200 million were registered to vote in the election.

UpGuard wrote in a blog post: “Deep Root Analytics, TargetPoint, and Data Trust—all Republican data firms—were among the RNC-hired outfits working as the core of the Trump campaign’s 2016 general election data team, relied upon in the GOP effort to influence potential voters and accurately predict their behaviour.

“The RNC data repository would ultimately acquire roughly 9.5 billion data points regarding three out of every five Americans, scoring 198 million potential US voters on their likely political preferences using advanced algorithmic modelling across forty-eight different categories.”

The cloud repository was found by UpGuard’s Cyber Risk Analyst Chris Vickery on June 12 while searching for misconfigured data sources on behalf of the Cyber Risk Team.

The analyst found that the data repository, an Amazon Web Services S3 bucket, lacked any protection against access.

“As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: dra-dw,” UpGuard explained.

In a statement, the RNC said DRA has taken full responsibility for the situation and that the RNC has halted any further work with the company “pending the conclusion of their investigation into security procedures”.

“While Deep Root has confirmed the information accessed did not contain any proprietary RNC information, the RNC takes the security of voter information very seriously and we require vendors to do the same.”

In its turn, DRA said: “Deep Root Analytics has become aware that a number of files within our online storage system were accessed without our knowledge. We are conducting an internal review and have retained cyber security firm Stroz Friedberg to conduct a thorough investigation.

“Through this process, which is currently underway, we have learned that access was gained through a recent change in asset access settings since June 1, 2017.

“We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked.”