Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server

from the you'd-think-we'd-learn-something dept

Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

When Diachenko contacted the firm, he was told that they were a "small shop" and that "keeping track of everything can be tough." In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:

"In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He confirmed that the company is investigating the scope of the data that was accessible. "All exposed data was publically available information," he said, adding that he will contact affected customers "if required by law."

The problem: what's deemed "publicly available" varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you're a registered voter in the state. And while the data may have been stale, it still wasn't adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.

This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It's a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bob dianchenko, data breach, security, travis trawick, voter data, voting
Companies: kromtech security, robocent


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Uriel-238 (profile), 19 Jul 2018 @ 10:51am

    Uriel's Conclusion (based on many observations)

    It's a great era for hackers.

    link to this | view in thread ]

  2. icon
    steell (profile), 19 Jul 2018 @ 10:57am

    Is there anyone

    in the US whose personal data has not been revealed / stolen? Maybe even multiple times?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 19 Jul 2018 @ 11:14am

    Re: Is there anyone

    Everyone should assume their info has been exposed and behave accordingly.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 19 Jul 2018 @ 11:15am

    Re: Is there anyone

    At this point my goal in life is to be unmonetizable.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 19 Jul 2018 @ 11:23am

    Re: Re: Is there anyone

    You strive to be worthless?

    You could just go into politics.

    link to this | view in thread ]

  6. icon
    Mason Wheeler (profile), 19 Jul 2018 @ 11:44am

    Re: Re: Is there anyone

    Definitely. After Equifax, believing anything else is simply foolhardy.

    link to this | view in thread ]

  7. icon
    Berenerd (profile), 19 Jul 2018 @ 11:46am

    This might explain why I am suddenly getting all these scam charity calls all of the sudden. Then there is the "save 30% on your electric bills 30% from random cell numbers

    link to this | view in thread ]

  8. identicon
    I.T. Guy, 19 Jul 2018 @ 11:54am

    Re: Re: Re: Is there anyone

    Or Law enforcement.

    link to this | view in thread ]

  9. icon
    That Anonymous Coward (profile), 19 Jul 2018 @ 12:00pm

    "he was told that they were a "small shop" and that "keeping track of everything can be tough.""

    If there were actual penalties to be paid for fscking around on security, I betcha they could keep track of things.

    Until the cost to the company is greater than the downside they will keep doing things in a shitty fashion. The only people making bank on this are the credit monitoring services (who leak only slightly less than those who buy their service in bulk to stop lawsuits).

    Pretty sure it wouldn't take huge numbers to cause change.
    Say $1000.... $500 to the Government & $500 to the person who had their data leaked (because no settlement is ever enough so why the fsck not).

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 19 Jul 2018 @ 12:18pm

    Re: Re: Re: Re: Is there anyone

    Only worthless to the advertisers.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 19 Jul 2018 @ 12:25pm

    It was the Ruskies.

    link to this | view in thread ]

  12. icon
    Mike Shore (profile), 19 Jul 2018 @ 12:26pm

    Where is Amazon?

    Not to minimize the incompetence of these shops, but it seems many of these breaches are of Amazon S3/AWS. I admit I know nothing about how Amazon sets up their cloud offering, but could Amazon help by making their offering more secure by default?

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 19 Jul 2018 @ 12:52pm

    Re: Where is Amazon?

    I don't know squat about Amazon AWS, but I'm also not going to point at the provider of the building blocks for the idiocy of the people who used them to build something.

    Wouldn't be at all surprised if Amazon does provide some very easily implemented basic-level security options/services that this particular company never took advantage of.

    Don't push blame down the stack.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 19 Jul 2018 @ 1:50pm

    It's almost like some sort of general data protection regulations are needed...

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 19 Jul 2018 @ 4:18pm

    Re: Re: Is there anyone

    Just run add blockers, that way the advertisers waste money to figure out which adds you will not see.

    link to this | view in thread ]

  16. identicon
    Bl00p, 20 Jul 2018 @ 4:04am

    Re: Re: Where is Amazon?

    Perhaps blame should be pushed down the stack, this issue is a serious one, and everyone involved should be looked at. He stated that Amazon was a easy target due to lack thereof of security, it can only help everyone involved to increase said security.

    Don't pretend that no big fishes are to blame in this mess, ignorance ain't no bliss, wake up.

    link to this | view in thread ]

  17. icon
    Wolfie0827 (profile), 20 Jul 2018 @ 7:26am

    Re: Re: Re: Where is Amazon?

    This is like: You get robbed because you do not lock your door, then blame the door or lock manufacturer because the door/lock wasn't designed to lock automatically.

    link to this | view in thread ]

  18. identicon
    Amit Sharma, 20 Jul 2018 @ 10:58am

    Where is Amazon?

    don't push blame.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.