The personal details of 198 million United States citizens, roughly 61 percent of the country's population, was leaked by a data firm contracted by the Republican National Committee.
Deep Root Analytics stored massive amounts of information, such as potential voters' names, addresses, phone numbers, and birth dates, on a publicly accessible Amazon cloud account resulting in what some experts believe is the largest ever leak of its kind.
"In terms of the disc space used, this is the biggest exposure I've found. In terms of the scope and depth, this is the biggest one I've found," Chris Vickery, a prominent researcher in securing sensitive information online, told The Hill.
Vickery, an analyst for the cybersecurity firm UpGuard, discovered the improperly stored details of millions of people on the Amazon server used by Deep Root Analytics last week. Twenty-five terabytes of data, including over one terabyte of data available for download, was stored without a password and easily attainable to any hacker who could obtain the URL.
The now-secured files contained data typical to political campaigns, some of which is already public information, but also included analysis to help the GOP best target specific voting populations. Many of the records stored on the server came from data firms other than Deep Root Analytics, one of which was The Data Trust, the primary provider of the GOP's voter details contracted by the party for a whopping $6.7 million in 2016. Interestingly enough, the director of The Data Trust, Johnny DeStefano, is President Donald Trump's director of presidential personnel.
Bill Daddi, who appears to be in charge of the public relations for Deep Root Analytics, told The Intercept that an investigation was underway into the unprecedented leak. In a statement made by the data firm, the point was made that thus far they do not see any evidence to indicate this was a hack job.
"We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," he said. "To date, the only entity that we are aware of that had access to the data was Chris Vickery."
The collection of citizens' details has been a huge part of the Republican Party's recent political strategy. While Deep Root Analytics told Gizmodo that their data was not intended for any particular client, the telling fact remains that they were contracted by the GOP for $983,000 last year and by and large the firm works predominately with conservative groups. This is not to say that the Democrats do not have their hands on their own data servers, like NationBuilder. In the age of technology, successful politics is defined by how you use it.
The personal data of potential voters is incredibly useful to those running political campaigns and millions of dollars are spent on analyzing the information to help win presidential elections. However, it is a double-edged sword; if the data is leaked it has the potential to impact American citizens in incredibly harmful ways, but that apparently hasn't inspired firms or political parties to be cautious. Because much of the data can become quickly out of date due to voter's life changes, it is often improperly protected. In cases like Deep Root Analytics, when it is exposed, there isn't much in place in the form of retribution.
“Campaigns are very narrowly focused. They are shoestring operations, even presidential campaigns. So they don’t think of this as an asset they need to protect,” Joseph Hall, the chief technologist for the Center for Democracy and Technology, told Gizmodo. "I can think of no avenues for punishing political data breaches or otherwise properly aligning the incentives. I worry that if there’s no way to punish campaigns for leaking this stuff, it’s going to continue to happen until something bad happens."
So far, Deep Root Analytics doesn't suspect that any third party managed to get their hands on the exposed data. Yet while that could inspire a sigh of relief in some, there's not much in place to incentivize data firms to care enough to stop these incidents from happening again. Next time, Americans might not be so lucky.