Seven months after an election that highlighted cybersecurity, a massive data leak from a GOP contractor could have exposed the personal information of over 198 million Americans. A Republican-leaning data firm, Deep Root Analytics, had the 1.1 terabytes of data stored on a public Amazon server without any password protection or encryption. A cyber risk analyst from UpGuard, a cyber resilience platform, discovered it while looking for potential security risks and reported it to federal authorities.
Gizmodo reports that Deep Root has accepted full responsibility for the oversight and corrected the issue, adding multiple layers of security to the data.
UpGuard's Breach Analysis Blog reports that this is potentially the biggest leak of personal data ever. The data included records from almost all of the 200 million people registered to vote in the U.S. The Republican Party had contracted Deep Root to gather the information as part of its work to elect Donald Trump, and they did that from all sorts of sources, from public voter registration rolls to Reddit accounts. It included a wealth of personal information about potential voters, from their addresses to their preferences on important issues like gun rights and the environment.
Deep Root claims that they didn't find evidence that the information had been stolen for any nefarious purposes, even though it was stored on the open server for at least 12 days. Gizmodo reports that leaving campaign resources like this voter information unsecured is a common problem, as campaign operations often just drop everything after election day. This sort of information also goes stale very quickly, so saving it for future campaigns isn't useful. During the campaign, though, it's invaluable. Strategists can use it to target and build advertising and to make models of target voters.
Although there have been large-scale breaches of electoral data in the past, UpGuard writes that the sheer number of people potentially effected dwarfs anything that's ever happened before. If you're registered to vote in the U.S., it's likely that at least some of your information would have been stored in that file. And as it didn't have to do specifically with online account passwords or anything like that, this isn't something that you can protect yourself against by changing your Gmail password. The best thing you can do is keep as little personal information about yourself online — and hope that Deep Root's claim that the information wasn't stolen is true.