By Carey Wedler
A consulting firm hired to elect Donald Trump in the 2016 election is responsible for the leak of data belonging to nearly 200 million Americans, according to UpGuard, a cyber-risk consulting firm.
According to UpGuard, Chris Vickery, one of the firm’s cyber risk analysts, discovered the server where the data was publicly stored. It includes “dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as ‘modeled’ voter ethnicities and religions.” Roughly 198 million Americans’ data was stored on the server, according to UpGuard’s explanation of their findings.
The firm explained:
The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust.
Data Trust is a “data warehouse” that provides records for the GOP, while Target Point is a Republican-focused market research firm.
ZDNET, a tech-oriented outlet, confirmed UpGuard’s findings, explaining that after Mitt Romney lost the 2012 election, the Republican party set out to replicate the left’s “data-driven techniques,” which Barack Obama’s 2008 campaign used with great success:
Through a handful of companies, including data firms, market researchers, and analytics providers, the GOP replicated that Obama campaign strategy by helping its political candidates make data-based decisions about their campaigns.
UpGuard discussed the “misconfigured database,” noting it is unclear how long the data was exposed but that it included 9.5 billion data points on as many as 3 out of 5 Americans, “scoring 198 million potential US voters on their likely political preferences using advanced algorithmic modeling across forty-eight different categories.”
Vickery discovered the open cloud repository while searching for misconfigured data sources for UpGuard’s research team. “The data repository, an Amazon Web Services S3 bucket, lacked any protection against access,” UpGuard writes. “As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: ‘dra-dw.’”
The files also contain data compiled following the election. ZDNET explained further, noting information specifically from TargetPoint:
Some of these files, says UpGuard, contain millions of entries that appear to rate voters on the post-election likelihood of supporting a certain policy, candidate, or belief on a scale of ‘very unlikely’ to ‘very likely.’
According to UpGuard, Deep Root Analytics has acknowledged they operated the repository and secured it after Vickery reported the breach to federal authorities on June 14.
Before that, 1.1 terabytes — the equivalent of 500 hours of video — was publicly available for download and included “file directories named for a number of high-powered and influential Republican political organizations.” Some additional 24 terabytes had been configured to prevent public access, making the total amount of data “equivalent in size to about 10 billion pages of text.”
“Less clear was the significance of intriguing but inaccessible files, such as one titled “for_strategy_xroads_updated_FINAL” – which may refer in some capacity to American Crossroads, the Super PAC co-founded by former George W. Bush adviser Karl Rove that was very active in 2016 electoral financing. Also found was a large cache of Reddit posts, saved as text,” UpGuard noted.
ZDNET reported that Data Trust refused to comment on the findings and TargetPoint had not responded to a request for comment.
Alex Lundry, co-founder of Data Root, said the company is taking “full responsibility for this situation.”
“Deep Root Analytics has become aware that a number of files within our online storage system were accessed without our knowledge,” he said.
He also added:
We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked.
The firm may be taking responsibility for what UpGuard believes is the largest U.S. voter data breach ever, but UpGuard’s findings and Data Root’s subsequent admission reveals something as disturbing as the leak itself: the lengths the political establishment will go to secure power.
The widespread, rigorous degree of data analysis on millions of individuals — not to mention the carelessness with which that data was stored — reflects what many Americans increasingly understand: elections are not about representing people, but rather, studying them, analyzing them, and manipulating them into supporting ruling institutions and politicians.
Regardless, UpGuard warned that unless firms begin handling their data more responsibly, another leak of this scale is inevitable:
Despite the breadth of this breach, it will doubtlessly be topped in the future—to a likely far more damaging effect—if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems.