Photo: AP
A security researcher has, yet again, discovered thousands of U.S. voter files with a minimal amount of effort. Given that over the past year virtually every registered U.S. voter has been exposed by one data breach or another, it’s becoming increasingly difficult to feign our surprise.
According to the researcher, Kromtech Security’s Bob Dianchenko, the files were available online for virtually anyone to download and had long been indexed by GreyhatWarfare, a website that currently lists more than 48,000 Amazon S3 buckets, in which potentially confidential files can be found.
Dianchenko linked the Amazon server containing the voter files to Robocent, a Virginia-based political campaign and robocalling company. More than 2,600 files were exposed, including voter file spreadsheets and audio recordings for several political campaigns. The voter data itself contained names, phones numbers, addresses, political affiliations, age and year of birth, gender, voting district, and other demographic information, such as language and ethnicity.
According to RoboCent’s website, the company offers a wide range of automated services, including robocalls, SMS messaging, ringless voicemail drops, and it even supplies voter data directly to clients at a cost of three cents per record (mobile numbers are an additional 2.5 cents). The company’s privacy policy doesn’t mention voter data specifically.
RoboCent appears to market its services toward both Democrat and Republican candidates. In one blog post advertising its suite of services, it noted challenges facing Democrats seeking to build a “public opinion case” against the Trump administration. Another, following Republican primaries in Kentucky and Indiana, boasted about the victories of “Trump-flavored” candidates.
Dianchenko contacted RoboCent after discovering the voter file cache and the records were quickly secured. “We’re a small shop, so keeping track of everything can be tough,” a RoboCent developer told him.
Gizmodo could not immediately reach RoboCent for comment.
In a statement to ZDNet, which first reported the breach, the company said the bucket contained data from 2013-2016 and “hasn’t been used in the past two years.” The company said the information was publicly available information and that customers would be contacted “if required by law.”
While voter data is largely a matter of public record, in states such as Kentucky, Maine, and Massachusetts, not everyone can purchase it. Many states limit the use of voter data to campaign-related activities. Some states, such as South Carolina, will only sell voter data to registered voters in those states. Moreover, acquiring a nationwide voter database can cost upwards of $135,000.
So the argument that voter data is all public record and, therefore, protecting it isn’t a high priority is flimsy at best. That said, it also has a relatively short shelf life. Data used in one election is considered expired by the next; people moved, switch parties, change phone numbers. Voter files are often neglected, discarded, and never deleted or properly stored.
Spreadsheets containing vast swaths of personal information belonging to voters are frequently abandoned online, neither remembered nor adequately secured.
Gizmodo reported last year, for example, a breach involving nearly 200 million Americans stemming from a leaky database at a marketing firm contracted by the Republican National Committee. In December, Kromtech revealed another 19.2 million voter files had been stolen and held for ransom in California.
Like RoboCent, both of these leaks were caused by companies that had failed to properly secure their Amazon cloud accounts, leaving the personal information of millions of Americans exposed for virtually anyone to find.
Got a tip about a data breach? Email that author dell@gizmodo.com. You can also anonymously send us documents or speak to our reporters securely using our SecureDrop system.
[ZDNet]