'The mother lode of all leaks': A massive data breach exposed 'information that can be used to steal an election'

A data analytics firm hired by the Republican National Committee last year to gather political information about US voters accidentally leaked the sensitive personal details of roughly 198 million US citizens earlier this month, as its database was left exposed on the open web for nearly two weeks.

Deep Root Analytics, a conservative data firm contracted by the RNC as part of a push to ramp up its voter analytics operation in the wake of Mitt Romney's defeat in the 2012 presidential election, stored details about approximately 61% of the US population on an Amazon cloud server without password protection for those two weeks.

Gizmodo first reported the leak, which was discovered by UpGuard cyber risk analyst Chris Vickery.

"I find data breach situations like this all day long, every day," Vickery told Business Insider on Monday. "Companies don't realize their employees are cutting corners, and mistakes get made. It's an absolute epidemic."

The data, according to UpGuard's analysis, "included 1.1 terabytes of entirely unsecured personal information compiled by Deep Root Analytics and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America's 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modeled' voter ethnicities and religions."

The information did not include highly sensitive information like Social Security numbers, and much of it was publicly available voter-registration data provided by state government officials, a company spokesman told Business Insider on Tuesday.

"Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access," Deep Root said in a statement. "We take full responsibility for this situation."

But the exposed database combined individuals' personal information and political inclinations - including proprietary information gathered via predictive modeling tools - to create a detailed profile of nearly 200 million Americans that would be a "gold mine" for anyone looking to target and manipulate US voters, said Archie Agarwal, founder of the cybersecurity firm ThreatModeler.

"This is the mother lode of all leaks," Agarwal said Monday. "Governments are made or broken on this. I don't even have the words to describe it."

'This is what you can use to steal an election'

Deep Root emphasized in its statement that the data that was accessed "was, to the best of our knowledge, proprietary information as well as voter data that is publicly available and readily provided by state government offices."

But Agarwal said data like Deep Root's is extremely valuable to adversaries who could use it to better understand what makes American voters tick, allowing nefarious actors to better coordinate their efforts to sway public opinion - efforts that could be particularly consequential in the kind of key swing states that proved crucial to President Donald Trump's election victory.

"If the Russians have this data, then they have targeted information that could allow them to try to swing the vote," Agarwal said.

"There is nothing more valuable to some people out there than this kind of information," Upguard's Vickery added. "This is what you can use to steal an election at the state and local level. It tells you who you need to advertise to to swing votes."

Cybersecurity experts who spoke to Business Insider all said Deep Root's mistake - which made these sensitive voter data files available to anyone who found the URL to the cloud server - is common and easy to make.

But while "it's not hard to make this mistake, but it's also hard not to check that it's been made," Vickery said.

Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, said the voter information would be worth "a s---load of money" to anyone on the black market - particularly a hacker working on behalf of a foreign adversary - who happened upon it.

"Certainly you can imagine that it could have been a covert way of communicating data in a way that looked like an error," Hall said.

A senior GOP strategist who worked on the RNC's digital operations last year denied that anything nefarious had occurred, calling Deep Root "the best in the business" and arguing that, if anything, the exposure shows how far the party had come in developing a sophisticated operation that far surpassed that of Democrats.

"It's silly of Deep Root to have let that happen," the strategist said. "But I think that, overall, this story is a positive and shows that Republicans are ahead of democrats."

'It's a little fishy'

The data exposure comes as congressional and federal investigators examine Russia's interference in the 2016 election, part of which was aimed at gaining access to voter registration data and election systems in at least 39 states, Bloomberg reported last week.

"In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data," Bloomberg said. "The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database."

In Illinois, the Russians appeared to be rummaging for sensitive information on voters. Hackers gained access to the state's voter database, which contained information such as names, birth dates, driver's licenses and partial Social Security numbers on 15 million people, according to Bloomberg.

"It's a little fishy," said Joe Loomis, the founder and Chief Technology Officer at the cybersecurity firm CyberSponse. "Especially considering that it was a leak of all of this voter data as we hear that there were these other entities gaining access to voter registration" databases, he said.

"Even if it was human error and not intentional, one IT person is probably going to put this company out of business," Loomis said, pointing to lawsuits that may be brought against the company by those who had their information exposed.

Alex McGeorge, a senior security researcher at the cybersecurity firm Immunity, Inc., agreed that the leak was likely a "careless" mistake.

"It was negligent," he said. "But now we have to take their word for it that no one got access to it" while it was online.

Deep Root said the information had been online for 12 days and that there was no indication anyone - besides Vickery, who first discovered the database - gained access to it. But Vickery said he thinks the database "was probably left up for a lot longer" than 12 days, and noted that Deep Root said initially that someone had gained "unauthorized access" to the information while it was live.

"Since then they've changed their tune," Vickery said.

Deep Root said it didn't believe its systems had been hacked "based on the information we have gathered thus far."

Agarwal, however, said that assessment could change as the company investigates the breach further.

"They are saying that based on whatever they think today, at this moment," Agarwal said. But the scope of data breaches is often not known until weeks, if not months, after they occurred.

Vickery and McGeorge said the data exposed in the Deep Root leak was likely the kind of information that the Russians already had access to. But the extent of Russia's infiltration in election systems across the country last year remains unclear, and congressional investigators are apparently trying to find out more about what the Russians accessed and why.

"While I am not aware of evidence that the 2016 voting process itself was subjected to manipulation, and have no reason to doubt the validity of the election results, we know that the DHS and FBI have confirmed two intrusions into voter registration databases in Arizona and Illinois by foreign-based hackers," Sen. Mark Warner, the vice chairman of the Senate Intelligence Committee, wrote in a letter to Homeland Security Secretary John Kelly on Tuesday.

Warner asked Kelly "to work closely with state and local election officials to disclose publicly which states were targeted, to ensure that they are fully aware of the threat, and to make certain that their cyber defenses are able to neutralize this danger. We are not made safer by keeping the scope and breadth of these attacks secret."

The exposure of voter registration information, whether through leaks or hacks, has left upcoming elections vulnerable to manipulation. Virginia and New Jersey will hold gubernatorial elections later this year, and all 435 seats in the House and 33 of the 100 seats in the Senate will be contested in the 2018 midterm elections.

"It is clear that these will not be the last attempts that we will see," Warner wrote, "and the next electoral cycle in 2018 will provide further targets for hackers."