Sensitive personal details relating to about 200 million US citizens have been mistakenly exposed by a marketing firm contracted by the Republican National Committee.
The 1.1 terabytes of data includes birthdates, residential addresses, telephone numbers and political views of more than half of the entire US population.
The data was available on a publicly accessible Amazon cloud server.
It’s accessible by anybody as long as they had a link to it.
Political biases exposed
The large storage of data was discovered last week by Chris Vickery, a cyber-risk analyst with security firm UpGuard. The information seems to have been gotten from a wide range of sources – from posts on controversial banned threads on the social network Reddit, to committees that raised funds for the Republican Party.
The information was stored in spreadsheets uploaded to a server owned by Deep Root Analytics. It had last been updated in January when President Donald Trump was inaugurated and had been online for an undetermined period of time.
“We take full responsibility for this situation. In regards to the information we have gathered thus far, we do not believe that our systems have been hacked,” Deep Root Analytics’ founder Alex Lundry told technology website Gizmodo.
“Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”
Aside from personal details, the data also contained citizens’ suspected religious affiliations, ethnicities and political biases, such as where they stood on controversial topics like gun control, the right to abortion and stem cell research.
The file names and directories showed that the data was meant to be used by well known Republican political organisations. The plan was to try to create a profile on as many voters as possible using all available data, so some of the fields in the spreadsheets were left empty if an answer could not be found.
“That such a large national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,” Dan O’Sullivan wrote in a blog post on Upguard’s website.
“The ability to collect such information and store it insecurely further raised a concern on the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”
Although it is known that political parties occasionally gathers data on voters, this is the biggest error on electoral data in the US to date and privacy experts are concerned about the high level of the data gathered.
“This is deeply troubling. This is not just sensitive, it’s intimate information, forecast about people’s behaviour, opinions and beliefs that people have never wanted to reveal to anyone,” Privacy International’s policy officer Frederike Kaltheuner.
However, the issue of data collection and using computer models to predict voter behaviour is not only to marketing firms – Privacy International says that the entire online advertising ecosystem functions in the same way.
“It is a threat to the way democracy works. The GOP [Republican Party] relied on publicly-collected, commercially-provided information. Who would have noticed that the data they entrusted to one organisation would later on be used against them politically.
“You should be in charge of what is happening to your data, who can use it and for what purposes,” Ms Kaltheuner added.
There are fears that accessible data can easily be used for evil purposes, from identity fraud to harassment of people under protection orders, or to threaten individuals with an opposing political view.
“The potential for this type of data being made available publicly and on the dark web is extremely high,” Paul Fletcher, a cyber-security evangelist at security firm Alert Logic.