Leaked GOP Data On 198 Million Americans Had No Password
How much data qualifies as a massive amount?
Roughly 25 terabytes, which is enough hard drive space to store around 500 complete Blu-Ray movies. Noted security researcher Chris Vickery says, In terms of the scope and depth, this is the biggest exposure I have found.
The data that was leaked includes incredibly detailed profiles on just north of 198 million registered voters, which pretty much accounts for everyone who was eligible to vote in the 2016 election. There were thousands of files, some quite small and others incredibly large. Just two Excel files, for example -- one on Hilary Clinton and another containing research on Reddit users -- totalled almost 400GB.
Individual profiles are incredibly detailed. Voters attitudes towards just about any topic of political significance going back as far as ten years are scored. It is the kind of data that costs millions of dollars and requires countless man-hours to produce.
To be clear, this information was not stolen by hackers and then leaked; it was uploaded to a server that was not properly secured. Vickery says there was no password preventing access to the data. Anyone with the link could click in and download every single file.
Where did the data come from?
Upguard, where Vickery handles cyber risk research, says that it came from a number of sources. Some of it is publicly available, like voter rolls. Other information came from PACs, social networks, Kantar Research, and other consulting groups. Ultimately, the data was exposed by Deep Root, an analytics firm frequently tapped by the GOP to help maximize its advertising dollars during campaigns.
Deep Root said much of the data is [its] proprietary analysis to help inform local television ad buying. While UpGuards Dan Sullivan notes that Deep Root is not the only company that has access to this breadth of information on American voters, he says the lack of care in its handling creates serious cause for concern. That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling.
For its part, Deep Roots Alex Lundry says the company has taken full responsibility for the leak. He also stated that Deep Root has put protections in place to ensure that the data can no longer be accessed by unauthorized parties.