GOP Data Firm Accidentally Exposes Personal Details Of Nearly 200 Million Voters

Jun 21, 2017
Originally published on June 21, 2017 5:39 pm
Copyright 2018 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

While lawmakers are focused on hacking during the presidential election, cybersecurity experts this week say the data of almost 200 million voters was left exposed online. The unprotected files belonged to the Republican National Committee and included all kinds of detailed information like voting histories, phone numbers, even posts from anonymous sites like Reddit.

Chris Vickery is an analyst with the cybersecurity firm UpGuard, and he's the one who found the data. I asked him how he made the discovery.

CHRIS VICKERY: I was putting in random web addresses, and this one turned out to be publicly accessible. And everything was right there in front of me. There was no complicated maneuvering involved at all.

CORNISH: So no password, no username needed and in downloadable form.

VICKERY: Exactly.

CORNISH: So we mentioned voting history, phone numbers. What else was in this database, and how deep does it go?

VICKERY: Well, the data contained in this dataset was far more expansive than people realize - basically anything a person that would have malicious intent would need in order to mount a campaign of either identity theft or even authenticating themselves to various services that you may use like cable companies or phone providers. So somebody could take this information and have a very good foundation of facts that could be used for a massive campaign against specific targets. That's just the basic personal data.

Then there's data on every single person in the entire country regarding how they feel on 46 different categories of political persuasion, issues like drilling in America or whether or not Trump should communicate and cooperate with high-ranking Democrats. This is so exact, you can target a neighborhood with specific ads or an individual with ads depending on what you think they feel.

CORNISH: So there is actually something to be protected here. But somehow there's not the incentive to do it yet.

VICKERY: Oh, yes, this should absolutely be protected information. These days, if a bad guy has your phone number and can get your PIN, they can, at 3 a.m. in the morning, get a code sent to your phone, listen to your voicemails, log in to your bank account and drain all your money. Phone numbers are more important than people realize.

CORNISH: Now, this is actually the third time you've found huge portions of voter data information vulnerable online. Do our political parties have a clue when it comes to cybersecurity?

VICKERY: Well, the answer is, no, they do not have a clue. And actually, I've found the entire United States Voter Registration databases three times. I've also found the entire country of Mexico. So five or six actual large-scale voter database finds I've come across.

CORNISH: When you look at how easy it was for you to find this information, is this a bad sign for our election process?

VICKERY: I think it is not a good sign. It shows that commercial interests are overtaking concerns of security, privacy and the good of the public overall. The fact that there's money-making incentives to collect and not secure this data very well, it just speaks volumes about what needs to change in America regarding privacy, security and our priorities.

CORNISH: Chris Vickery is with the cybersecurity firm UpGuard. Thank you so much for speaking with ALL THINGS CONSIDERED.

VICKERY: Thank you.

(SOUNDBITE OF NEARLY ORATORIO'S "OCCLUDE") Transcript provided by NPR, Copyright NPR.