198 million Americans hit by 'largest ever' voter records leak

Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.
Written by Zack Whittaker, Contributor

(Image: file photo)

A huge trove of voter data, including personal information and voter profiling data on what's thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned.

It's believed to be the largest ever known exposure of voter information to date.

The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics.

UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication.

This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign.

Through a handful of companies, including data firms, market researchers, and analytics providers, the GOP replicated that Obama campaign strategy by helping its political candidates make data-based decisions about their campaigns.

The exposed records include files provided by Data Trust, a data warehouse created by the GOP to serve as its exclusive data provider of voter records. The company sells and supplies voter data to political candidates, who rely on access to the data in order to shape their campaigns.

According to UpGuard, the folder includes dozens of spreadsheets containing a unique GOP identifier for each voter for the 2008 and 2012 presidential campaigns, which link to "dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name." A folder containing 2016 data only included files for Ohio and Florida, two crucial battleground states.

Each record lists a voter's name, date of birth, home address, phone number, and voter registration details, such as which political party a person is registered with. The data also includes "profiling" information, voter ethnicities and religions, and various other kinds of information pertinent to a voter's political persuasions and preferences, as modeled by the firms' data scientists, in order to better target political advertising.

Senior executives at Data Trust would not speak on the record prior to publication.

The exposed server was also found to contain gigabytes of data from TargetPoint, a conservative market research firm focused on helping candidates better understand voters' policy preferences and political actions. Some of these files, says UpGuard, contain millions of entries that appear to rate voters on the post-election likelihood of supporting a certain policy, candidate, or belief on a scale of "very unlikely" to "very likely."

An email to TargetPoint prior to publication went unanswered. (If we hear back, we will update.)

Deep Root, which claims to be the "most experienced group of targeters in Republican politics," uses that wealth of data to help its political clients make better decisions when buying television advertising air-time.

That, the hope is, allows prospective Republican candidates and their committees to target pro-trade Republicans who might vote blue, and Democrats who want tighter immigration controls who can be convinced to vote red.

Alex Lundry, co-founder of Deep Root, confirmed the company owned the Amazon S3 storage server, and said in an email that company has taken "full responsibility for this situation."

"Deep Root Analytics has become aware that a number of files within our online storage system were accessed without our knowledge," said Lundry.

"The data that was accessed was, to the best of our knowledge proprietary information as well as voter data that is publicly available and readily provided by state government offices. Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access."

We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said.

This isn't the first batch of voter data found by Vickery.

Vickery, who we profiled on ZDNet earlier this year, found 87 million Mexican voter records in an exposed database in 2016.

He was also responsible for discovering several US voter databases online totaling 18 million voters, and the state of Louisiana's entire database of 2.9 million voters.

Deep Root's exposure also appears to be larger than the 191 million voter records exposed in late 2015, and another massive leak of 154 million voter records a year later.

Editorial standards