Unprotected Database Exposes Details of 198 Million US Voters

An Amazon S3 bucket containing the personal details of over 198 million Americans was left exposed online with no protection, according to UpGuard, a cyber-security whose researchers came across the database last week.

The data contained in the database belonged to three data mining companies known to be associated with the Republican Party, namely Deep Root Analytics, TargetPoint Consulting, Inc., and Data Trust.

Database exposed personal information, voter habits

Data exposed in the database leak included names, dates of birth, home addresses, phone numbers, ethnicity, religion, and other voter registration details that companies can analyze and predict voting behavior. Information on Americans from all 50 states and the District of Columbia was included.

The databases appear to have been used by the three companies to support the last three Republican presidential campaigns, in 2008, 2012, and 2016.

Deep Root Analysis, the company who owned the exposed Amazon S3 server admitted the breach and secured the database before UpGuard published its findings.

Biggest leak of US voter information

In terms of sheer numbers, this is the biggest leak of US voter registration data. In December 2015, Chris Vickery, the same UpGuard researcher who discovered this leak, also found an unprotected MongoDB database exposing the details of 191,337,174 US voters.

Five months later, Vickery also found a similar unprotected MongoDB database that exposed the personal details of 93,424,710 Mexican voters.

Other voter databases exposed in the past two years include the ones belonging to the Philippines (55 million) and Turkey (50 million), both leaked online by hackers after breaching national voter systems.

The US has also been targeted by hackers who stole US voter registration information. In August 2016, Yahoo News reported that Russian-based attackers stole voter databases from the states of Arizona and Illinois.

In a US Senate Intelligence Committee hearing two weeks ago, former FBI director James Comey said Russian hackers targeted hundreds of election-related entities in the US, but he did not specify if attackers managed to get away with US voter information.

Most of this data is already freely available online

While the leak UpGuard discovered seems bad, in reality, things aren't really as you'd imagine them. US voter registration is often made available to private entities by US states, some of which consider it public information.

This is what allowed the growth of a special niche of companies that provide so-called voter advertising, allowing campaigners of various political camps to go after registered voters with targeted ads.

Additionally, after the first leak (191 million, December 2015), most of the US voter registration info has already been sold and traded on underground hacking forums and Dark Web markets. If US citizens like it or not, their data had been exposed online a long time ago, and they'll never put the genie back in the bottle when it comes to their personal details.