A Republican voter data firm probably exposed your personal information for days — and you don’t have much recourse – Los Angeles Times
To any nefarious hackers looking for information that could be used to sway elections or steal Americans’ identities, the file compiled by a GOP data firm called Deep Root Analytics offered all manner of possibilities.
There in one place was detailed personal information about almost every voter in the U.S. It was a collection of some 9.5 billion data points that helped the firm assess not only how those Americans would probably vote, but their projected political preferences. In some cases, the data collectors had scoured people’s histories on Reddit, the social media platform, to match vote history with social media use, and well-informed predictions were made about where each voter would stand on issues as personal as abortion and stem cell research.
It’s the kind of sensitive information that, if a bank or a big-box retailer or almost any other corporation had failed to protect it, would have triggered major trouble with regulators. But there it sat on the Internet, without so much as a password to guard it, for 12 days.
Luckily for the Republican Party and Deep Root, an Arlington, Va.-based firm that handles data management and analysis for the party, it was a cybersecurity consultant who came across the treasure-trove of political data this month, not a foreign agent. There is no indication that the database had been tapped by any other unauthorized parties while it was unprotected.
But the exposure of the data, which some are describing as the largest leak of voter information in history, is a jolting reminder of how deeply the political parties are probing into the lives of voters and how vulnerable the information they are compiling is to theft.
The Deep Root incident is the latest in a series of such problems with political data, the most infamous being the case of the Russian hack of the Democratic National Committee. As cybersecurity experts sound an increasingly loud alarm about the potential consequences, the lapses keep happening — often with nobody held accountable for them.
“This is a catalog of human lives, with intrinsic details,” said Mike Baukes, chief executive of UpGuard, the Mountain View, Calif., firm that came across the file during a routine scan of cloud systems.
“Every voter in America is potentially in there. The scale of it is just staggering, and the fact that it was left wide open is wholly irresponsible.…This is happening all the time. We are continually finding these things. It is just staggering.”
Privacy experts were skeptical that political operatives will change their ways following the latest incident.
“The state of security for massive data sets is so incredibly poor despite a daily drumbeat of data breached,” said Timothy Sparapani, a former director of public policy for Facebook who is now a data privacy consultant at the firm SPQR Strategies, based in Washington. “It is shocking. It is embarrassing. People ought to lose their jobs.”
Sparapani said if the culprit had been a private firm, it would be subjected to punitive actions by attorneys general, consumer lawsuits and big fines from regulators. But political operations face no such repercussions.
“As a voter, you are left with almost no recourse because our laws have not caught up to the massive computing power which is readily available to gather enormous data sets and make them searchable at the click of a button,” he said. “The breadth and depth of data collection by these companies is not well understood. If it were, I think the average voter would be frightened.”
UpGuard was able to access the file merely by guessing a Web address. It alerted Deep Root as well as federal authorities.