A security researcher has, yet again, discovered thousands of U.S. voter files with a minimal amount of effort. Given that over the past year virtually every registered U.S. voter has been exposed by one data breach or another, it’s becoming increasingly difficult to feign our surprise.
According to the researcher, Kromtech Security’s Bob Dianchenko, the files were available online for virtually anyone to download and had long been indexed by GreyhatWarfare, a website that currently lists more than 48,000 Amazon S3 buckets, in which potentially confidential files can be found.
Dianchenko linked the Amazon server containing the voter files to Robocent, a Virginia-based political campaign and robocalling company. More than 2,600 files were exposed, including voter file spreadsheets and audio recordings for several political campaigns. The voter data itself contained names, phones numbers, addresses, political affiliations, age and year of birth, gender, voting district, and other demographic information, such as language and ethnicity.
RoboCent appears to market its services toward both Democrat and Republican candidates. In one blog post advertising its suite of services, it noted challenges facing Democrats seeking to build a “public opinion case” against the Trump administration. Another, following Republican primaries in Kentucky and Indiana, boasted about the victories of “Trump-flavored” candidates.
Dianchenko contacted RoboCent after discovering the voter file cache and the records were quickly secured. “We’re a small shop, so keeping track of everything can be tough,” a RoboCent developer told him.
Gizmodo could not immediately reach RoboCent for comment.
In a statement to ZDNet, which first reported the breach, the company said the bucket contained data from 2013-2016 and “hasn’t been used in the past two years.” The company said the information was publicly available information and that customers would be contacted “if required by law.”
While voter data is largely a matter of public record, in states such as Kentucky, Maine, and Massachusetts, not everyone can purchase it. Many states limit the use of voter data to campaign-related activities. Some states, such as South Carolina, will only sell voter data to registered voters in those states. Moreover, acquiring a nationwide voter database can cost upwards of $135,000.
So the argument that voter data is all public record and, therefore, protecting it isn’t a high priority is flimsy at best. That said, it also has a relatively short shelf life. Voter data used in one election is considered expired by the next; people move, switch parties, change phone numbers, etc. Voter files considered garbage are frequently neglected or discarded recklessly. Too often, spreadsheets containing vast amounts of personal information are found abandoned online, forgotten and inadequately secured.
Last year, Gizmodo reported a breach involving nearly 200 million Americans stemming from a leaky database at a marketing firm contracted by the Republican National Committee. In December, Kromtech revealed an
other 19.2 million voter files had been stolen and held for ransom in California. Like RoboCent, both of these leaks were caused by companies that failed to do something as simple use a passwords to protect their Amazon server. Instead, the personal data of millions of Americans was left exposed for virtually anyone to find.
The may be the latest breach, but it certainly won’t be the last. If we’re lucky, we might make it to the end of the month—but with campaign season kicking into high gear, I sorely doubt it.
Got a tip about a data breach? Email that author firstname.lastname@example.org. You can also anonymously send us documents or speak to our reporters securely using our SecureDrop system.