A California-based cybersecurity firm found a database of nearly 200 million American voters – along with their preferences and modeling data – left unsecured on an Amazon cloud server by data contractors working on Donald Trump’s 2016 presidential bid.
An analyst working with the cybersecurity company UpGuard was able to access the files on June 12, the company announced Monday. Chris Vickery was able to download 1.1 terabytes of information from the database.
Another 24 terabytes of files were correctly configured to prevent public access. It is unclear whether anyone else had accessed the files before they were secured on June 14.
Vickery identified the database as compiled by Deep Root Analytics, Data Trust, and TargetPoint Consulting, Inc. – all contractors working for the Republican National Committee (RNC) during the 2016 presidential election. The database had last been updated in January 2017.
The data accessed by Vickery included names, birth dates, home addresses, phone numbers, and voter registration details for 198 million Americans, as well as “modeled” voter ethnicities and religions, according to UpGuard’s blog post about the discovery.
Spreadsheets containing the data on nearly 200 million Americans also contained roughly 9.5 billion data points modeling voter preferences and behavior, “a treasure trove of political data and modeled preferences used by the Trump campaign,” according to UpGuard.
UpGuard’s Dan O’Sullivan described the modeling spreadsheet as “an impressive deployment of analytical might,” and was able to look up the entry on himself after identifying the 32-digit internal number the RNC used to identify every voter.
“It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate,” wrote O’Sullivan.
The data repository was located on an Amazon Web Services S3 “bucket” named ‘dra-dw,’ which stands for Deep Root Analytics Data Warehouse. Anyone with an internet connection could have accessed the data just by navigating to the six-character domain, according to Vickery.
Deep Root confirmed that they owned and operated the bucket, which was secured against public access after Vickery notified federal authorities. It is unclear how long the database had been accessible to the public.
UpGuard is an Australian-founded cybersecurity company based in Mountain View, California.