A massive data breach by a contractor hired by the Republican National Committee (RNC) has exposed the personal information of 198 million likely voters. The breach happened after a contractor, Deep Root Analytics, accidentally left the database files unprotected on an internet-connected computer server. The Hill reported:
"The databases were part of 25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in. The account was discovered by researcher Chris Vickery of the security firm UpGuard. The files have since been secured."
Deep Root Analytics helps a variety of clients, including political organizations, advertisers, and advocacy groups, identify custom audiences for television advertising -- in this instance, likely voters. Reportedly, the data elements exposed include full names, birth dates, residential addresses, and persons' positions on a variety of topics:
"... 46 different issues ranging from "how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of 'America First' and how likely they are to be concerned with auto manufacturing as an issue..."
The files exposed during the breach also identified another contractor hired by the RNC, Target Point, which experts conclude:
"... compiled and shared the data with Deep Root. Another folder appears to reference Data Trust, another contracted firm."
At press time, Target Point had not made any statements on its website. Deep Root issued this statement:
"Deep Root Analytics has become aware that a number of files within our online storage system were accessed without our knowledge. Deep Root Analytics builds voter models to help enhance advertiser understanding of TV viewership. The data accessed was not built for or used by any specific client. It is our proprietary analysis to help inform local television ad buying.
The data that was accessed was, to the best of our knowledge proprietary information as well as voter data that is publicly available and readily provided by state government offices. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access. We take full responsibility for this situation.
Deep Root Analytics maintains industry standard security protocols. We built our systems in keeping with these protocols and had last evaluated and updated our security settings on June 1, 2017.
We are conducting an internal review and have retained cyber security firm Stroz Friedberg to conduct a thorough investigation. Through this process, which is currently underway, we have learned that access was gained through a recent change in access settings since June 1. We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked."
So, Deep Root wasn't aware of this breach until an outside security expert found it. Nor does the company seem certain about exactly what data elements were exposed/accessed by unauthorized persons. Not good. It makes one wonder what other undiscovered breaches may have happened.
Perhaps more troubling, the company's statement differs from news reports about the data elements exposed/accessed. The company's statement mentioned "publicly available" data, while news reports mentioned sensitive, non-public data. Hopefully, the results of Deep Root's internal breach investigation will clarify things. And, if sensitive information was truly exposed/stolen, hopefully Deep Root will do the right thing: notify breach victims and offer free credit monitoring services for at least two years.
This was not the first data breach of voter-related database data. A CouchDB breach in June 2016 exposed the sensitive information of 154 million voters. Both breaches seem to raise the question about whether political organizations, and the contractors they hire, adequately protect consumers' sensitive personal information.
Many consider this Deep Root data breach the largest voter breach ever. Yes, the data breach was undeniably massive. Why? Two measurement approaches highlight the fact.
First, the Quick Facts page at the U.S. Census Bureau site lists the population of the United States on July 1, 2015 at 321, 418,820 persons. Of those, 22.9 percent were under the age of 18. With a little "rough" math, one can calculate the population aged 18 or older at 247,813,910 persons. So, the Deep Root breach represented about 61.6 percent of the total population or 79.9 percent of the voting age population. That's almost 4 of every 5 adults aged 18 or older.
Second, the breach ranks near the largest when compared to notable data breaches during the past few years:
- 2017: at least 2.1* million job seekers in 10 states in America's Job Link Alliance (AJLA) portal breach, 1.3 million K-12 students in Schoolzilla platform breach,
- 2016: 500 million Yahoo accounts, 360 million Myspace accounts,
- 2015: 80 million Anthem healthcare patients, 37 million Ashley Madison subscribers, 15 million T-Mobile users in Experian breach, 14 million persons in the government OPM breach, 1.6 million persons in VTech breach,
- 2014: 83 million JPMorgan Chase customers, 53 million Home Depot shoppers,
- 2013: 110 million Target shoppers, 6 million Facebook members,
- 2012: 117 million LinkedIn users, 24 million Zappos shoppers,
- 2011: 77 million Sony Playstation Network users,
Regarding the AJLA portal breach earlier this year, the Privacy Rights Clearinghouse reported 1.7 million breach victims in Idaho and 430,000 in Oklahoma. Given this, the true number of breach victims is likely far higher.
What are your opinions about the Deep Root breach? Do political organizations, and the contractors they hire, adequately protect citizens' sensitive information? And, if not, what should be done?
When citizens vote, they expect privacy -- not just within voting booths. So, too, regarding the personal information and opinions data describing their voting. Arguably, voting data is different than other types of consumer information. And there is legal precedent for treating selected consumer information differently. Example: a set of privacy laws govern health care data. Perhaps, you have heard of the term: Protected Health Information (PHI). If data mining companies can't protect voters' data, then we just might need new laws to protect voting-related data: PVI = Protected Voting Information.
When data about voters is compromised (e.g., exposed and/or accessed), that is a strike at the heart of our democracy. Example: the bad guys could pressure voters using stolen information. Does the big-data/data-mining industry require oversight? Does Congress need to intervene to protect our democratic elections? What are your opinions about PVI?
[Correction: an earlier version of this blog post mentioned a database. Files were exposed, not a database nor an RNC database.]