US suffers largest ever voter data leak

The largest leak of US voter information was reported late last night. The personal information and voter profiling data of what is thought to be every registered US voter going back a decade has been found on an unsecure service – according to ZDNet.

The 198 million records of American voters spanning all political parties was found on an open Amazon S3 storage server, owned by a Republican data analytics firm, Deep Root Analytics.

UpGuard cyber risk analyst Chris Vickery found the exposed server and verified the data. He alerted the relevant bodies and the server was made secure late last week. UpGuard said that the personal information has multiple “identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.”

>See also: Data leak at US Air Force: the “holy grail” for spies

The exposed data includes files provided by Data Trust, a data warehouse created by the Republican party as an exclusive data provider of voter information – selling this data to political candidates to help strategise their campaigns.

Dr. Jamie Graves CEO at ZoneFox said: “The mother of all data leaks has hit 200 million US citizens in one of the biggest recorded data breaches. This accidental leak revealed the personal information – not just names and addresses, but also private voting choices – of 62% of the US population.”

“All companies are in the business of data. As such they’ve got to ensure they have visibility into their most prized asset and know the security limitations of their chosen platform in order to be in control of their information. After all, if they aren’t in the driving seat how can they protect it?”

The data includes the voter’s name, date of birth, home address, phone number, and voter registration details, such as the political party a person is registered with. The data also includes “profiling” information, voter ethnicities and religions, and other kinds of information that highlight a voter’s potential political preferences, which is used to better target political advertising.

>See also: Yahoo data leak: the biggest on record

Indeed, this huge voter data leak highlights the great emphasis the Republican campaign placed on targeting voters by analysing big data. The first case of a data-driven political campaign was Barack Obama’s in 2008.


Commenting on this, Paul Fletcher, cyber security evangelist at Alert Logic, said “This exposure of 198 million registered american voter’s personal identifiable information (PII) is due to the lack of a defence in depth strategy for a 3rd party.  It’s another example of why companies need to perform on-going due diligence of the security strategies of vendors and partners.  An organisation is only as secure as it’s weakest link, and 3rd party vendors have been notorious for being the weak point to data leakage and exfiltration.”

“The fact that this exposure was discovered on a public cloud site is irrelevant. In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided.  The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organisation (and in this case), the organisation’s customer – the GOP.  Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”

>See also: Ignorance is not bliss when your data has been hacked or stolen


In this case, Alert Logic has provided the following security best practices would’ve help prevented this type of exposure.

Identify and Access Management – as part of the access control list mention above, maintaining who has access to what data and when is critical to operational security.

Encryption – organisations should encrypt as much as possible, whenever it’s possible.  According to the statement released by Deep Root Analytics, they stated that they “last evaluated and updated our security settings on June 1, 2017.”  It’s plausible that a mistake was made during this update of their security settings, this can happen in any organisation, so implementing encryption would have provided a “fail safe” in case the data was accessed by an unauthorised party.

Log Monitoring and Management – Deep Root Analytic’s statement also says “we don’t believe that our systems have been hacked.”  Proper security logging and monitoring would provide much more certainty regarding all the access attempts (authorised or unauthorised) of this data.  Organisations that execute a robust log monitoring and management strategy will have better overall situational awareness for their data and system activity.

>See also: 3.7 million Hong Kong citizens’ data stolen

“The potential for this type of data being made available publicly and on the dark web is extremely high.  The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customised social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link,” concluded Fletcher.


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit byregistering here


Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Personal Data