In what has to be one of the largest disclosures of personal data ever, it appears that a Republican National Committee vendor exposed their collection of data on 198 million U.S. voters in the cloud for anyone to trip over.
Unlike other cases where hackers broke in or used zero day exploits to compromise systems, in this case the Republican contractor didn’t bother to put a password on the data.
Granted there is a huge amount of data stored in the Amazon cloud, but that didn’t stop researchers from Upguard from finding it. And maybe other people too.
The primary vendor, Deep Root Analytics, made a statement taking responsibility for the screw up.
The data, about 1.1 terabytes of it, gives a very detailed picture of almost all of America’s 200 million voters.
The data includes
- Date of birth
- Home address
- Phone number
- Voter registration details
- ‘Modeled’ ethnicity
- ‘Modeled’ religion
- and hundreds other fields
In addition to the 1 terabyte of data that was exposed, there was another 24 terabytes of data that was password protected. The data in the unprotected database alone represents about 10 billion pages of text.
It took 2 days just to download the data.
More than likely there is nothing remotely illegal about amassing this type of data. Depending on who downloaded it while it was exposed, it would certainly be extremely helpful to other politicians who might want to replicate this data for the next election. The data goes back to the 2008 election, which is very useful in predicting future outcomes. The RNC spent about a million dollars amassing this data. Now, potentially, it is in the wild – or up for sale. It is questionable whether, given that it was not protected in any way, if downloading and using it is illegal.
The Hill says that the data was exposed between June 1 and June 14. While that is a short time, it was certainly long enough to download the data.
We also don’t know if the data is or was stored elsewhere in the cloud, but I suspect RNC – and probably the DNC – are looking far and wide to make sure.
As more and more data moves to the cloud, the risk of that data being accidentally left exposed.
This is just another example of the risk of outsourcing. That doesn’t mean that if the RNC collected the data themselves that it would not have been exposed.
It is a pretty painful reminder that you have to manage the data protection practices of all of your vendors. In this case, for the Republicans, it could be a million dollar reminder if someone else uses the data that they paid to collect – possibly against them.
Also remember that this technically is not a breach. Since it was not protected by even a password – never mind being encrypted – it was kind of like putting your stuff out by the curb for people to pick through.
I suspect that the RNC and its vendors will be more careful next time.