Robocalling Firm Leaves Virginia Voter Data OnlineUnsecured Amazon S3 Bucket to Blame
RoboCent, a company that specializes in robocalling voters, left nearly 3,000 files containing detailed data about Virginia voters online by mistake.
The data was stored in an Amazon S3 storage bucket that did not require authentication, writes Bob Diachenko, head of communications for security vendor Kromtech Alliance.
Diachenko discovered the data using an online search tool developed by a site calling itself Grayhatwarfare that's built to index open S3 buckets. Diachenko notified RoboCent, which has since secured the data.
RoboCent offers a variety of robocalling services for campaigns. The company has a detailed menu of its pricing structure for robocalls, based, for example, on the number of calls a campaign wants to make and whether they're doing polls or surveys or want to leave a voicemail.
Efforts to reach RoboCent officials weren't immediately successful. But Diachenko writes that a RoboCent developer told him: "We're a small shop (I'm the only developer) so keeping track of everything can be tough."
Security experts as well as Amazon have emphasized the danger of not properly securing S3 storage buckets. Over the years, researchers have found astounding amounts of unsecure personal data in such repositories.
Still, cloud providers can only preach best practices, says Pravin Kothari, CEO of CipherCloud, which specializes in cloud security. The leak wouldn't have been an issue of the data had been encrypted, he says.
"Ultimately customers are responsible to protect their own data - not the cloud provider," Kothari says. "At some point, most services on the internet will be penetrated and compromised. All of these breaches could have been avoided and of little consequence if, and only if, the data was end-to-end encrypted."
So much data on U.S. voters has been exposed in other leaks, it's questionable whether RoboCent's actually increases the risk or potential for identity theft or other mischief.
Last year, cybersecurity researcher Chris Vickery came across a batch of 198 million voter registration records, which included names, dates of birth, home addresses, phone numbers and registration details. The data, which came from Deep Root Analytics, was exposed for about two weeks after the company made a mistake when changing access control settings (see 198 Million US Voter Records Left Online For Two Weeks).
The RoboCent data includes some of the usual information that states record as part of a voter registration record: full name, address, age and birth year.
RoboCent's data also contained email addresses and phone numbers. Further, it contained inferences about political affiliation based on voting trends and history, Diachenko writes. It also contained "demographics based on ethnicity, language, education," he writes.
Much Voter Data Is Public
Laws across the 50 U.S. states vary in relation to access and use of voter registration data. All but 11 states allow some public access to electoral roles. All states do, however, allow political parties and candidates to have access to voter registration records.
Companies such as NationBuilder collect this information for the entire U.S. It would appear Virginia's records are gathered by a variety of marketing services companies.
For example, a Florida-based company called Gravis Marketing offers for sale Virginia's voting records, phone numbers and demographic data such as ethnicity, race, religion and income. It also claims to have data on groups or memberships that voters hold.
"We take pride in providing our clients with complete access of detailed voter files in Virginia inside our comprehensive database that includes millions of individual and household contacts," Gravis Marketing says on its website.
Like many states, Virginia offers an online tool that allows people to check if they're registered to vote. The authentication process, however, is of questionable security. Those interested in checking their status just need to supply their full name, birthdate, precinct and the last four digits of their Social Security numbers.
Social Security numbers are considered by security experts to be insufficient for authentication. The numbers are some of the easiest pieces of information to purchase on underground markets for personal data.