Largest RNC leak ever!
A data analytics contractor employed by the Republican National Committee (RNC) left databases containing information on nearly 200 million potential voters exposed to the internet without security, allowing anyone who knew where to look to download it without a password.
“We take full responsibility for this situation,” said the contractor, Deep Root Analytics, in a statement.
The databases were part of 25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in. The account was discovered by researcher Chris Vickery of the security firm UpGuard. The files have since been secured.Vickery is a prominent researcher in uncovering improperly secured files online. But, he said, this exposure is of a magnitude he has never seen before“In terms of the disc space used, this is the biggest exposure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vickery.
The accessible files, according to UpGuard, contain a main 198 million-entry database with names, addresses of voters and an “RNC ID” that can be used with other exposed files to research individuals.
For example, a 50-gigabyte file of “Post Elect 2016” information, last updated in mid-January, contained modeled data about a voter’s likely positions on 46 different issues ranging from “how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of ‘America First’ and how likely they are to be concerned with auto manufacturing as an issue, among others.”
That file appears in a folder titled “target_point,” an apparent reference to another firm contracted by the RNC to crunch data. UpGuard speculates that the folder may imply that the firm TargetPoint compiled and shared the data with Deep Root. Another folder appears to reference Data Trust, another contracted firm.
UpGuard analyst Dan O’Sullivan looked himself up in the database and writes in the official report that the calculated preferences were, at least for him, right on the money.
“It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate,” he said.
The Deep Root Analytics cloud server had 25 terabytes of data exposed, including 1.1 terabytes available for download.