Another cache of US voter data has leaked.
A Virginia-based political campaign and robocalling company, which claims it can “reach thousands of voters instantly,” left a huge batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password.
The bucket contained close to 2,600 files, including spreadsheets and audio recordings, for several US political campaigns.
Kromtech Security’s Bob Diachenko, who discovered the exposed data and blogged his findings, shared prior to publication several screenshots of data, packed with voters’ full names, home addresses, and political affiliations.
The data also included gender, phone numbers, age, and birth year, as well as a jurisdiction breakdown based on district or zip code and other demographics, like ethnicity, language spoken, and education.
Several columns in the data also included a calculation of how a person might vote, such as “weak Democrat” or “hard Republican,” or “swing” voter. Robocent doesn’t hide the data points it collects, openly advertising them on its website.
Voter registration data in most states is readily available as a matter of public record, but much of the data is restricted and can be used for limited purposes. Some but not all states prevent the data from being used for commercial purposes. (You can read more here about what is public data and what isn’t.) It’s not uncommon for political campaigns to buy the data and complement it with their own data in an effort to predict how a person might vote, making it easier to go after swing voters with targeted messaging.
Diachenko contacted the company to secure the data. As part of that effort, he spoke the company’s lead developer — believed to be the co-founder’s brother — who claimed to be the only person “keeping track of everything.”
“We’re a small shop,” he said, according to Diachenko’s blog post.
In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from “an old bucket from 2013-2016 that hasn’t been used in the past two years.”
He confirmed that the company is investigating the scope of the data that was accessible.
“All exposed data was publically available information,” he said, adding that he will contact affected customers “if required by law.”
It’s not known how long the data was left exposed, but it was long enough to be cached by sites like Grayhat Warfare, which scrape the contents of open buckets.
The Robocent exposure is believed to be at least the fifth major breach of voter data in as many years.
Before the 2016 presidential election, a database of 191 million voter records was exposed, topped two years later with a breach of 198 million voter records — almost every registered US voter, believed to be the largest voter data breach in history.
Months later, more data was leaked, and again following a database misconfiguration at a Republican polling firm.
By Zack Whittaker