A Virginia-based political campaign and robocalling company, which claims it can "reach thousands of voters instantly," left a huge batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password.
The bucket contained close to 2,600 files, including spreadsheets and audio recordings, for several US political campaigns.
Kromtech Security's Bob Diachenko, who discovered the exposed data and blogged his findings, shared prior to publication several screenshots of data, packed with voters' full names, home addresses, and political affiliations.
The data also included gender, phone numbers, age, and birth year, as well as a jurisdiction breakdown based on district or zip code and other demographics, like ethnicity, language spoken, and education.
Several columns in the data also included a calculation of how a person might vote, such as "weak Democrat" or "hard Republican," or "swing" voter. Robocent doesn't hide the data points it collects, openly advertising them on its website.
Voter registration data in most states is readily available as a matter of public record, but much of the data is restricted and can be used for limited purposes. Some but not all states prevent the data from being used for commercial purposes. (You can read more here about what is public data and what isn't.) It's not uncommon for political campaigns to buy the data and complement it with their own data in an effort to predict how a person might vote, making it easier to go after swing voters with targeted messaging.
Diachenko contacted the company to secure the data. As part of that effort, he spoke the company's lead developer -- believed to be the co-founder's brother -- who claimed to be the only person "keeping track of everything."
In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years."
He confirmed that the company is investigating the scope of the data that was accessible.