News broke yesterday that a contractor for the RNC and other GOP groups exposed personal information of nearly TWO HUNDRED MILLION American registered voters to ANYONE who found the URL. No password, no encryption, not even a pretense of security:
In what is the largest known data exposure of its kind, UpGuard’s Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.
…
This reporter was able, after determining his RNC ID, to view his modeled policy preferences and political actions as calculated by TargetPoint. It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate.
This from the guys who sanctimoniously attacked Ms. Clinton for putting her improperly-secured email server in her home. The scope of this breach is to Ms. Clinton’s error as an atom bomb is to a firecracker.
If you are a registered voter (and most of us are), then your personal information has most likely been compromised in this breach. Not to put too fine a point on it, but the aggregation of first name, last name, date of birth, and in many cases phone number and address is more than enough for black-hats to use for identity theft. The opportunity for abuse by political organizations and hate groups is, well, staggering.
Nothing that any Democratic organization did remotely compares to this breach.
The question now is what, if anything, we’re going to do about it.
“The largest known data exposure of its kind” — that is really saying something.
Can’t I get most of that information locally just by asking the town clerk for the voter rolls?
Yes but local voters consent to their clerk giving they information to campaigns on a fair use basis. Here we have a massive breach for most voters across the country.
You’ll spend a LONG time in various town halls collecting data for TWO HUNDRED MILLION voters.
In addition, this data includes a great many data items (assembled at a cost measured in millions, I might add) that are not on voter rolls. For example, reddit posts, likely stances towards 46 modeled issues, and a variety of personal details. From the linked piece (emphasis mine):
You may not care that some crazy right-wing crackpot in Montana can casually discover your political leanings and get your name, address, DOB, phone number and so on. I do.