Accidental Data Leak Exposes 198 Million Americans’ Personal Information

"Data Security Breach" courtesy of Blogtrepreneur/blogtrepreneur.com/tech; License: (CC BY 2.0)

The 2016 presidential election was noteworthy not just because of its outcome, but also for the extent to which both parties used technical data collection behind-the-scenes to secure victories in swing states. Just last week, a cyber risk analyst stumbled onto a trove of that gathered data, collected on 198 million Americans, on an unprotected server.

The analyst, Chris Vickery, an employee of the cyber security startup UpGuard, came across the 1.1 terabytes of data on an Amazon cloud server, which wasn’t password protected and was accessible to anyone with the URL address. According to UpGuard, it took Vickery several days to download the extensive dataset, which may have been left open and exposed for 10 to 14 days.

UpGuard is calling this leak the “largest known data exposure of its kind,” and confirmed that the discovered content includes names, dates of birth, home addresses, phone numbers, and indications of individuals’ ethnicities and religions. Voters’ political views on hot-button campaign issues such as fossil fuels and taxes were also minutely recorded, likely for future micro-targeted campaigns.

The information was collected by GOP data firm Deep Root Analytics, one of three data firms hired by the RNC to help Donald Trump win the presidential election.

The firm acknowledged that the data was theirs on Friday and released a statement apologizing for the breach.

Deep Root Analytics CEO Brent McGoldrick said the company takes “full responsibility” for the leak. He added that the mistake was likely due to “a recent change in asset access settings since June 1.”

Although much of the data collected by Deep Root Analytics is available online through more innocuous sources, many have been quick to analyze the leak’s potential cyber security ramifications.

“That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” UpGuard said on their website.

This leak also comes at a time when the U.S. elections and elections in other western nations have been the targets of increasingly aggressive cyber attacks.

“This is deeply troubling,” Privacy International’s policy officer Frederike Kaltheuner told BBC News. “This is not just sensitive, it’s intimate information, predictions about people’s behavior, opinions, and beliefs that people have never decided to disclose to anyone.”

While this leak could have been much more damaging and revealed more secretive information, experts say this should be a cautionary warning. If companies don’t make cyber security a priority, individuals may have to worry a lot more the next time a leak occurs.

Celia Heudebourg is an editorial intern for Law Street Media. She is from Paris, France and is entering her senior year at Macalester College in Minnesota where she studies international relations and political science. When she’s not reading or watching the news, she can be found planning a trip abroad or binge-watching a good Netflix show. Contact Celia at Staff@LawStreetMedia.com.