millions of voter records exposed in data breachIn what’s being called the largest leak of U.S. voter data ever discovered, a company hired by the Republican National Committee (RNC) has admitted to and claimed full responsibility for the exposure of information pertaining to nearly 200 million registered voters in the U.S. A massive, unsecured database of files owned by a company called Deep Root Analytics was discovered on June 12 by UpGuard cyber risk analyst Chris Vickery. This is far from the first leak of voter information in recent years — we reported on the exposure of 191 million voters in December 2015 — but it’s certainly the largest and comes at a time when citizens and the government alike are raising concerns over suspected election tampering at the hands of the Russians, instances of state-sponsored espionage and the rise in new kinds of cyber attacks which take advantage of unsecured technology. To help you understand what kind of information was contained in this database, how it was exposed and what this means for you, we’ve broken down the facts.

How was the leak discovered?

According to the detailed report published by UpGuard, a cyber resilience company that functions to help businesses determine cyber risks, Vickery discovered a misconfigured database on June 12 that he determined to be owned by Deep Root Analytics after downloading and looking through the 1.1 TB worth of files on it. He notified both federal authorities and the firm itself immediately, and the database was secured two days later by Deep Root Analytics. A statement released by the firm on June 19 confirmed that the files were unsecured and accessed without its knowledge, though it claims that there is no evidence that the database was hacked or that any malicious entities accessed the files (note that as of June 22, this statement is no longer available online). However, since this incident only just occurred — according to Deep Root Analytics, the data was exposed after an update of its security settings on June 1 — it’s possible more information will come to light in the future. At this time, the firm has retained Stroz Friedberg, a cybersecurity and digital forensics company, to investigate and it has also put in place new protocols and updated its access settings in light of the discovery.

What kind of information was in the exposed data?

Deep Root Analytics is a media firm that was hired by the RNC to assist with the analysis of voter information to create targeted advertisements during the recent 2016 presidential election. The GOP has severed ties as a result of this leak. Information compiled by multiple sources, including a conservative market research firm called TargetPoint, was included in this GOP “data warehouse.” Among the tons of data stored within this server was the personal data of 198 million registered voters, including names, birth dates, home addresses, phone numbers and voter registration details — in addition to “profiling” information such as suspected ethnicities and religions. Republicans and the companies the GOP hired used this data to run data-driven campaigns during the 2016 election cycle, employing available public records details on voters along with other information gleaned from various sources to speculate on the likelihood of individuals to support specific policies, candidates, beliefs and more. What’s most unsettling about the data contained within this server is that each individual was assigned a unique alphanumeric ID — meaning that the data can all be tied back to specific Americans.

What’s going to happen next?

It’s unclear as of yet what will happen, or whether any of the people whose information was included in Deep Root Analytics’ data will be notified. Until a thorough investigation is complete, it won’t be known whether or not anyone besides Vickery accessed the data during the 12 days it was unprotected. A class action lawsuit has already been filed, which may spell serious trouble for the firm if enough of the 198 million voters included participate. It’s possible, if the data was accessed by cybercriminals, that it could be used for all sorts of purposes, including identity theft. That said, there’s really no way to know at this point. It’s also worth pointing out that since the majority of data was gleaned from 2008 and 2012 registered voters, a good amount of it is likely to be somewhat outdated.

What does this mean for you?

As noted by UpGuard in its report, this breach combines several factors that have played into many prior data breaches, including forgotten databases, third-party vendor risks and inappropriate permissions. The massive Target breach in 2013 was a result of a compromised third-party vendor, for instance. Political campaigns gather tons of data to try and learn about the voters they want to sway, but what happens to that data when the election is over? Do these organizations and companies owe anything to the people whose data they collect, and if so, what? It’s hard enough to keep up with the barrage of websites, apps and businesses collecting and requesting our data that let us know upfront that it’s being collected. In the cases of an online shopping site, a social media app or your doctor’s office, there’s incentive to protect that data from exposure and access by malicious third parties. What kind of incentive does a fly-by-night operation like a presidential campaign have?

It seems that each industry, from retail to the government itself, has to learn the hard way — sometimes repeatedly — before they can put better security in place. This is far from the first time voter data has been exposed, and it’s probably not going to be the last time until data protection and security is taken seriously by political organizations. On the whole, businesses and individuals have a lot of catch-up to do when it comes to protecting data privacy, and in the meantime, data breaches and cybersecurity issues will continue to plague us.

The best you can do is stay educated and informed on what’s happening, including data breaches and best practices for protecting your privacy. To get the details on how to protect yourself in these troubling times, follow our privacy and identity theft protection blogs.