A few days after the personal data of nearly 200 million registered American voters was accidently exposed online due to an “improperly configured security setting”, some of the people affected by the breach have filed a class-action lawsuit against the analytics company responsible for the leak.
A total of 1.1 terabytes of data were available to download and was left unprotected by a password or any other security measure. UpGuard cyber risk analyst Christopher Vickery found the unsecured database on June 12, and downloaded the data over the course of the next two days. Deep Root Analytics, a conservative data analytics firm, confirmed ownership of the data and responsibility for the misconfiguration. Much of the information came from the 2008, 2012, and 2016 presidential elections. The 2016 files were not as in depth as previous election cycles.
Deep Root Analytics claimed that this file became open on June 1 as new security settings were put in place. While the data was owned by Deep Root, it was collected from multiple different conservative data agencies leading all the way back to 2006.
“In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details,” UpGuard said in a statement on the leak.
The information included personal data about 62 percent of Americans and advanced voter analyses including where voters stood on issues such as abortion, climate change and gun ownership among others. There are anywhere from five to 40 data points on each individual. There are around 30 data points per person, and in total around 6 billion data points that were not secured.
The lawsuit, filed in Florida, seeks damages from Deep Root Analytics for “failing to secure and safeguard the public’s personally identifiable information”.
While it was well documented that these voter data firms exist, the revelation of the unsecured voter database was an unwelcome surprise to the network security community.
“While you can offshore or outsource tasks and functions, you can never outsource the risks. As such every company that deals in sensitive or valuable data should have an information assurance program that risk rates their vendors, monitors them for security and other factors and provides governance to the company regarding their third-party and the risk appetite set by the company,” said Chris Pierson, Chief Security Officer at Viewpost.
Many recent major breaches have begun with third parties, including the Target breach that affected more than 100 million customers.
“Most companies do not have an information assurance program or view this as a risk beyond a legal indemnification. The RNC database leak root cause appears to be sloppiness by their third-party and might have been caught in mandated configuration scanning or cloud storage providers or other types of penetration testing,” Pierson said.
CC By license image by Theresa Thompson