‘The mother lode of all leaks’: A massive data breach exposed ‘information that can be used to steal an election’ – Business Insider
A data analytics firm hired by the Republican National Committee
last year to gather political information about US voters
the sensitive personal details of roughly 198 million US citizens
earlier this month, as its database was left exposed on the open
web for nearly two weeks.
Deep Root Analytics, a conservative data firm contracted by the
RNC as part of a push to ramp up its voter analytics operation in
the wake of Mitt Romney’s defeat in the 2012 presidential
election, stored details about approximately 61% of the US
population on an Amazon cloud server without password protection
for those two weeks.
Gizmodo first reported the leak, which was discovered
by UpGuard cyber
risk analyst Chris Vickery.
“I find data breach situations like this all day long,
every day,” Vickery told Business Insider on Monday.
“Companies don’t realize their employees are cutting corners, and
mistakes get made. It’s an absolute epidemic.”
The data, according to UpGuard’s analysis, “included 1.1
terabytes of entirely unsecured personal information compiled by
Deep Root Analytics and at least two other Republican
contractors, TargetPoint Consulting, Inc. and
Data Trust. In total, the personal information of
potentially near all of America’s 200 million registered
voters was exposed, including names, dates of birth, home
addresses, phone numbers, and voter registration details, as well
as data described as ‘modeled’ voter ethnicities and
The information did not include highly sensitive
information like Social Security numbers, and much of it was
publicly available voter-registration data provided by state
government officials, a company spokesman told Business
Insider on Tuesday.
“Since this event has come to our attention, we have updated the
access settings and put protocols in place to prevent further
access,” Deep Root said in a statement. “We take full
responsibility for this situation.”
But the exposed database combined individuals’ personal
information and political inclinations — including proprietary
information gathered via predictive modeling tools — to create a
detailed profile of nearly 200 million Americans that would be a
“gold mine” for anyone looking to target and manipulate US
Archie Agarwal, founder of the
cybersecurity firm ThreatModeler.
“This is the mother lode of all leaks,” Agarwal said Monday.
“Governments are made or broken on this. I don’t even have the
words to describe it.”
‘This is what you can use to steal an election’
Deep Root emphasized in its statement that the data that
was accessed “was, to the best of our knowledge,
proprietary information as well as voter data that is publicly
available and readily provided by state government offices.”
But Agarwal said data like Deep Root’s is extremely valuable
to adversaries who could use it to better understand what
makes American voters tick, allowing nefarious actors to better
coordinate their efforts to sway public opinion — efforts
that could be particularly consequential in the kind of key
swing states that proved crucial to President Donald Trump’s
“If the Russians have this data, then they have targeted
information that could allow them to try to swing the vote,”
“There is nothing more valuable to some people out there
than this kind of information,” Upguard’s Vickery added. “This is
what you can use to steal an election at the state and local
level. It tells you who you need to advertise to to swing
Cybersecurity experts who spoke to Business Insider all
said Deep Root’s mistake — which made these sensitive
voter data files available to anyone who found the URL to
the cloud server — is common and easy to make.
But while “it’s not hard to make this mistake, but it’s also hard
not to check that it’s been made,” Vickery said.
oseph Lorenzo Hall, the chief technologist at
the Center for Democracy
said the voter information would be worth “a s—load of
money” to anyone on the black market — particularly a hacker
working on behalf of a foreign adversary — who happened upon
“Certainly you can imagine that it could have been a covert way
of communicating data in a way that looked like an error,” Hall
A senior GOP strategist who worked on the RNC’s digital
operations last year denied that anything nefarious had
occurred, calling Deep Root “the best in the business” and
arguing that, if anything, the exposure shows how far the party
had come in developing a sophisticated operation that far
surpassed that of Democrats.
“It’s silly of Deep Root to have let that happen,” the strategist
said. “But I think that, overall, this story is a positive and
shows that Republicans are ahead of democrats.”
‘It’s a little fishy’
The data exposure comes as congressional and federal
investigators examine Russia’s interference in the 2016 election,
part of which was aimed at gaining access to voter registration
data and election systems in at least 39 states, Bloomberg reported
“In Illinois, investigators found evidence that cyber
intruders tried to delete or alter voter data,” Bloomberg said.
“The hackers accessed software designed to be used by poll
workers on Election Day, and in at least one state accessed a
campaign finance database.”
In Illinois, the Russians appeared to be rummaging for sensitive
information on voters. Hackers gained access to the
state’s voter database, which contained information
such as names, birth dates, driver’s licenses and partial Social
Security numbers on 15 million people, according to
“It’s a little fishy,” said Joe Loomis, the founder and
Chief Technology Officer at the cybersecurity
firm CyberSponse. “Especially considering that it
was a leak of all of this voter data as we hear that there
were these other entities gaining access to voter
registration” databases, he said.
“Even if it was human error and not intentional, one
IT person is probably going to put this company out of business,”
Loomis said, pointing to lawsuits that may be brought against the
company by those who had their information exposed.
Alex McGeorge, a senior security researcher at the
cybersecurity firm Immunity, Inc., agreed that the leak was
likely a “careless” mistake.
“It was negligent,” he said. “But now we have to take their word
for it that no one got access to it” while it was online.
Deep Root said the information had been online for 12 days
and that there was no indication anyone — besides Vickery, who
first discovered the database — gained access to it. But Vickery
said he thinks the database “was probably left up for a lot
longer” than 12 days, and noted that Deep Root said initially
that someone had gained “unauthorized access” to the information
while it was live.
“Since then they’ve changed their tune,” Vickery
Deep Root said it didn’t believe its systems had been
hacked “based on the information we have gathered thus
Agarwal, however, said that assessment could change as the
company investigates the breach further.
“They are saying that based on whatever they think today,
at this moment,” Agarwal said. But the scope of data
breaches is often not known until weeks, if not months, after
Vickery and McGeorge said the data exposed in the Deep
Root leak was likely the kind of information that the Russians
already had access to. But the extent of Russia’s
infiltration in election systems across the country last
year remains unclear, and congressional investigators are
apparently trying to find out more about what the Russians
accessed and why.
“While I am not aware of evidence that the 2016 voting process
itself was subjected to manipulation, and have no reason to doubt
the validity of the election results, we know that the DHS and
FBI have confirmed two intrusions into voter registration
databases in Arizona and Illinois by foreign-based
hackers,” Sen. Mark Warner, the vice chairman of the
Senate Intelligence Committee, wrote in a letter to Homeland
Security Secretary John Kelly on Tuesday.
Warner asked Kelly “to work closely with state and local
election officials to disclose publicly which states were
targeted, to ensure that they are fully aware of the threat, and
to make certain that their cyber defenses are able to neutralize
this danger. We are not made safer by keeping the scope and
breadth of these attacks secret.”
The exposure of voter registration information, whether
through leaks or hacks, has left upcoming elections
vulnerable to manipulation. Virginia and New Jersey will
hold gubernatorial elections later this year, and all 435 seats
in the House and 33 of the 100 seats in the Senate will be
contested in the 2018 midterm elections.
“It is clear that these will not be the last attempts that we
will see,” Warner wrote, “and the next electoral cycle in 2018
will provide further targets for hackers.”