Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server
from the you'd-think-we'd-learn-something dept
Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).
This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.
When Diachenko contacted the firm, he was told that they were a "small shop" and that "keeping track of everything can be tough." In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:
"In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He confirmed that the company is investigating the scope of the data that was accessible. "All exposed data was publically available information," he said, adding that he will contact affected customers "if required by law."
The problem: what's deemed "publicly available" varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you're a registered voter in the state. And while the data may have been stale, it still wasn't adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.
This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It's a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bob dianchenko, data breach, security, travis trawick, voter data, voting
Companies: kromtech security, robocent
Reader Comments
Subscribe: RSS
View by: Time | Thread
Uriel's Conclusion (based on many observations)
It's a great era for hackers.
[ link to this | view in thread ]
Is there anyone
[ link to this | view in thread ]
Re: Is there anyone
[ link to this | view in thread ]
Re: Is there anyone
[ link to this | view in thread ]
Re: Re: Is there anyone
You could just go into politics.
[ link to this | view in thread ]
Re: Re: Is there anyone
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Is there anyone
[ link to this | view in thread ]
If there were actual penalties to be paid for fscking around on security, I betcha they could keep track of things.
Until the cost to the company is greater than the downside they will keep doing things in a shitty fashion. The only people making bank on this are the credit monitoring services (who leak only slightly less than those who buy their service in bulk to stop lawsuits).
Pretty sure it wouldn't take huge numbers to cause change.
Say $1000.... $500 to the Government & $500 to the person who had their data leaked (because no settlement is ever enough so why the fsck not).
[ link to this | view in thread ]
Re: Re: Re: Re: Is there anyone
[ link to this | view in thread ]
[ link to this | view in thread ]
Where is Amazon?
[ link to this | view in thread ]
Re: Where is Amazon?
Wouldn't be at all surprised if Amazon does provide some very easily implemented basic-level security options/services that this particular company never took advantage of.
Don't push blame down the stack.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Is there anyone
[ link to this | view in thread ]
Re: Re: Where is Amazon?
Don't pretend that no big fishes are to blame in this mess, ignorance ain't no bliss, wake up.
[ link to this | view in thread ]
Re: Re: Re: Where is Amazon?
[ link to this | view in thread ]
Where is Amazon?
don't push blame.
[ link to this | view in thread ]