To any nefarious hackers looking for information that could be used to sway elections or steal Americans’ identities, the file compiled by a GOP data firm called Deep Root Analytics offered all manner of possibilities.
There in one place was detailed personal information about almost every voter in the U.S. It was a collection of some 9.5 billion data points that helped the firm assess not only how those Americans would probably vote, but their projected political preferences. In some cases, the data collectors had scoured people’s histories on Reddit, the social media platform, to match vote history with social media use, and well-informed predictions were made about where each voter would stand on issues as personal as abortion and stem cell research.
It’s the kind of sensitive information that, if a bank or a big-box retailer or almost any other corporation had failed to protect it, would have triggered major trouble with regulators. But there it sat on the Internet, without so much as a password to guard it, for 12 days.
Luckily for the Republican Party and Deep Root, an Arlington, Va.-based firm that handles data management and analysis for the party, it was a cybersecurity consultant who came across the treasure-trove of political data this month, not a foreign agent. There is no indication that the database had been tapped by any other unauthorized parties while it was unprotected.
But the exposure of the data, which some are describing as the largest leak of voter information in history, is a jolting reminder of how deeply the political parties are probing into the lives of voters and how vulnerable the information they are compiling is to theft.
The Deep Root incident is the latest in a series of such problems with political data, the most infamous being the case of the Russian hack of the Democratic National Committee. As cybersecurity experts sound an increasingly loud alarm about the potential consequences, the lapses keep happening — often with nobody held accountable for them.
“This is a catalog of human lives, with intrinsic details,” said Mike Baukes, chief executive of UpGuard, the Mountain View, Calif., firm that came across the file during a routine scan of cloud systems.
“Every voter in America is potentially in there. The scale of it is just staggering, and the fact that it was left wide open is wholly irresponsible.…This is happening all the time. We are continually finding these things. It is just staggering.”
Privacy experts were skeptical that political operatives will change their ways following the latest incident.
“The state of security for massive data sets is so incredibly poor despite a daily drumbeat of data breached,” said Timothy Sparapani, a former director of public policy for Facebook who is now a data privacy consultant at the firm SPQR Strategies, based in Washington. “It is shocking. It is embarrassing. People ought to lose their jobs.”
Sparapani said if the culprit had been a private firm, it would be subjected to punitive actions by attorneys general, consumer lawsuits and big fines from regulators. But political operations face no such repercussions.
“As a voter, you are left with almost no recourse because our laws have not caught up to the massive computing power which is readily available to gather enormous data sets and make them searchable at the click of a button,” he said. “The breadth and depth of data collection by these companies is not well understood. If it were, I think the average voter would be frightened.”
UpGuard was able to access the file merely by guessing a Web address. It alerted Deep Root as well as federal authorities.
Deep Root apologized in a statement, but also suggested the incident had been overblown.
The data file “is our proprietary analysis to help inform local-television ad buying,” the statement said. It noted that much of the voter information the analysis is built on is “readily provided by state government offices.” The firm said it has put security procedures in place to prevent future leaks.
Other digital strategists warned, however, that the failure to protect such detailed information not only raised major privacy and security concerns, but also may have tipped off political adversaries to the inner workings of the Republican Party’s closely guarded digital strategy.
The GOP contracted with Deep Root during the presidential campaign. The firm’s co-founder, Alex Lundry, led the data efforts of GOP nominee Mitt Romney in 2012 and then worked for the unsuccessful presidential campaign of former Florida Gov. Jeb Bush last year.
GOP officials said the data belonging to the party that was exposed was limited to very basic information about voters, such as their party registration. They said none of the GOP’s sensitive strategic data was exposed. The party has suspended work with the firm pending an investigation by Deep Root into security procedures.
The failure by Deep Root to protect its massive database was particularly troubling to some advocates at a time when Congress is investigating how Russia exploited data vulnerabilities to meddle in last year’s presidential election.
“This is data used for opinion manipulation,” said Marc Rotenberg, executive director of the nonprofit research group Electronic Privacy Information Center, based in Washington. “It needs to be regulated. And there needs to be consequence for breaches. We have a major problem in this country with data security, and it’s getting worse.” The foundation wants Congress to hold hearings on political data security.
But holding political parties and contractors accountable for their data practices has proven tricky. David Berger, an attorney with the Bay Area-based firm Girard Gibbs who has represented consumers affected by data breaches at Anthem and Home Depot, said part of the problem is voters are not demanding changes loudly enough.
When a retail company fails to protect the privacy of its customers, Berger said, the company suffers and lawmakers hear about it from the victims.
“When people see Deep Root, they are not going to necessarily associate that with the [Republican Party] or anything else,” he said. “If your average American knew the amounts of data and profiling that is already put together by these companies about every single one of us, people would be very concerned. But there’s no face here, and they try to keep quiet.”
Halper reported from Washington and Dave from Los Angeles.