The “sensitive personal details” of well over half the U.S. population has been “exposed to the internet” by a firm working for the Republican National Committee to elect President Donald Trump, a Mountain View cybersecurity firm has claimed.
A Virginia firm has admitted responsibility for the data exposure.
The problem for almost all of the country’s 200 million voters — across the political spectrum — arose out of a “misconfigured database,” according to Mountain View’s UpGuard, which discovered the security breach by Virginia’s Deep Root Analytics.
“The sensitive personal details of over 198 million American voters (were) left exposed to the internet by a firm working on behalf of the Republican National Committee in their efforts to elect Donald Trump,” UpGuard said on its website June 19.
The company called the breach the “largest known data exposure of its kind” and “perhaps the largest known exposure of voter information in history.”
Data firm Deep Root disputed the claim that the exposed database was compiled in connection with the RNC or Trump campaign.
“The data accessed was not built for or used by any specific client,” the company said on its website. “It is our proprietary analysis to help inform local television ad buying.”
UpGuard said the data was stored in a “publicly accessible cloud server” owned by Deep Root. The 1.1 terabytes of data included “entirely unsecured personal information” collected by Deep Root and “at least two other Republican contractors.”
Among the data were voters’ names, dates of birth, home addresses, phone numbers, voter-registration data and information related to ethnicity and religion, according to UpGuard.
Deep Root said the data was “to the best of our knowledge proprietary information as well as voter data that is publicly available and readily provided by state government offices.”
The company said it had updated its system-access settings and “put protocols in place to prevent further access.” It will do an internal review and has hired a cybersecurity firm “to conduct a thorough investigation,” Deep Root said.
“Based on the information we have gathered thus far, we do not believe that our systems have been hacked.”
It’s unclear whether any bad actors may have come across the database while it was exposed. UpGuard listed potential “misuses” of the information, including “the almost limitless criminal applications of the exposed data for purposes of identity theft, fraud, and resale on the black market.”
While the breach occurred in the cloud, finger-pointing in the direction of cloud platforms in general would be misdirected, said Varun Badhwar, CEO of Menlo Park cybersecurity firm RedLock.
“The reality is that it’s the customer’s responsibility to ensure that their networks, users and applications are securely configured in the cloud,” Badhwar said.
“Over 40 percent of organizations have accidentally exposed at least one cloud storage service like Amazon Simple Storage Services to the public.
“Public cloud infrastructure such as (Amazon Web Services) can be highly secure if configured correctly. A sorry state of security in the cloud is caused by organizations rushing to deploy services in the cloud without the appropriate security visibility and monitoring controls in place.”
Photo: At the keyboard (AP Photo/Damian Dovarganes, File)