Deep Root Breach Leaks Details of 198 Million Voters

An analytics firm contracted by the Republican National Committee (RNC) has exposed personal details of nearly 200 million American voters of all political parties due to a misconfigured data warehouse. The company, Deep Root Analytics, stored voter details and modeled data on an unsecured Amazon cloud server. Anyone who typed the short URL could access over 1.1 terabytes of data that the firm amassed.

Cyber Risk Analyst Chris Vickery of UpGuard, a cyber-security company, discovered the open cloud repository last week. He spent the next 48 hours downloading the information before notifying federal authorities. Deep Root then quickly secured the data, but it had been publically accessible for an unknown amount of time.

How Deep Root Amassed Its Information

In 2011, the RNC created Data Trust, a private company that would build a database of detailed voter information. The Republican Party would use this information for get-out-the-vote efforts and advertising campaigns. For the last six years, Data Trust has gathered as much information as they could on the American public.

Deep Root appears to have had access to Data Trust’s voter file. Vickery found massive stores of personal information on voters from the 2008 and 2012 elections inside a folder entitled “data_trust” on Deep Root’s unsecured repository.

Within the folders for each election were files for all 50 states and Washington, D.C. Within the files for each state were categories for housing various types of information.

This is the comprehensive list of categories in the state files:  

“RNCID”, “RNC_RegID”, “State”, “SOURCEID”, “Juriscode”, “Jurisname”, “CountyFIPS”, “MCD”, “CNTY”, “Town”, “Ward”, “Precinct”, “Ballotbox”, “PrecinctName”, “CD_Current”, “CD_NextElection”, “SD_Current”, “SDProper_Current”, “SD_NextElection”, “SDProper_NextElection”, “LD_Current”, “LDS_Current”, “LDProper_Current”, “LD_NextElection”, “LDS_NextElection”, “LDProper_NextElection”, “NamePrefix”, “FirstName”, “MiddleName”, “LastName”, “NameSuffix”, “Sex”, “BirthYear”, “BirthMonth”, “BirthDay”, “OfficialParty”, “StateCalcParty”, “RNCCalcParty”, “StateVoterID”, “JurisdictionVoterID”, “AffidavitID”, “LegacyID”, “LastActiveDate”, “RegistrationDate”, “VoterStatus”, “PermAbs”, “SelfReportedDemographic”, “ModeledEthnicity”, “ModeledReligion”, “ModeledEthnicGroup”, “HHSEQ”, “HTSEQ”, “RegistrationAddr1”, “RegistrationAddr2”, “RegHouseNum”, “RegHouseSfx”, “RegStPrefix”, “RegStName”, “RegStType”, “RegstPost”, “RegUnitType”, “RegUnitNumber”, “RegCity”, “RegSta”, “RegZip5”, “RegZip4”, “RegLatitude”, “RegLongitude”, “RegGeocodeLevel”, “RADR_LastCleanse”, “RADR_LastGeoCode”, “RADR_LastCOA”, “ChangeOfAddress”, “COADate”, “COAType”, “MailingAddr1”, “MailingAddr2”, “MailHouseNum”, “MailHouseSfx”, “MailStPrefix”, “MailStName”, “MailStType”, “MailStPost”, “MailUnitType”, “MailUnitNumber”, “MailCity”, “MailSta”, “MailZip5”, “MailZip4”, “MailSortCodeRoute”, “MailDeliveryPt”, “MailDeliveryPtChkDigit”, “MailLineOfTravel”, “MailLineOfTravelOrder”, “MailDPVStatus”, “MADR_LastCleanse”, “MADR_LastCOA”, “AreaCode”, “TelephoneNUm”, “TelSourceCode”, “TelMatchLevel”, “TelReliability”, “FTC_DoNotCall”, “PhoneAppendDate”, “VH12G”, “VH12P”, “VH12PP”, “VH11G”, “VH11P”, “VH10G”, “VH10P”, “VH09G”, “VH09P”, “VH08G”, “VH08P”, “VH08PP”, “VH07G”, “VH07P”, “VH06G”, “VH06P”, “VH05G”, “VH05P”, “VH04G”, “VH04P”, “VH04PP”, “VH03G”, “VH03P”, “VH02G”, “VH02P”, “MT10_Party”, “MT10_GenericBallot”, “MT10_Turnout”, “MT10_ObamaDisapproval”, “MT10_Jobs”, “MT10_Healthcare”, “MT10_SoCo”, “PG01”, “PG02”, “PG03”, “PG04”, “PG05”, “PG06”, “PG07”, “PG08”, “PG09”, “PG10”, “PG11”, “PG12”, “PG13”, “PG14”, “PG15”, “PG16”, “PG17”, “PG18”, “PG19”, “PG20”, “PG21”, “PG22”, “PG23”, “PG24”, “PG25”, “PG26”, “PG27”, “PG28”, “PG29”, “PG30”, “PG31”, “PG32”, “PG33”, “PG34”, “PG35”, “PG36”, “PG37”, “PG38”, “PG39”

File names such as “Modeled Religion” and “Modeled Ethnic Group” hint at how much information Deep Root had about voters. Many people know that political parties have knowledge about voter party affiliation, but the details that Deep Root collected will shock the general public.

Big Data Firms Scour Social Media

In January, Vice reported on the strategies of Cambridge Analytica, another conservative big data firm. The company analyzes Facebook “likes” and other online activity to determine voters’ religion, sexual orientation, and race.

Big data firms analyze thousands of individual data points for each given voter. Researchers can’t predict much based on any single online action. However, as the data points add up, firms can predict a remarkably accurate voter profile.

Once a campaign understands what kinds of people “like” different things on Facebook, it can buy targeted ads to try to sway them. A disturbing article from Time reported that, like American political parties, Russian operatives attempt to influence U.S. voters with ads.

These operatives can also create fake social media profiles to infiltrate groups and sway their opinions. Congressional investigators are looking into possible ties between Cambridge Analytica and Eastern European social media accounts that could be Russian fronts.

Was Your Information Leaked?

Deep Root has secured the data trove, but no one knows who has accessed it in the meantime. Vickery looked up himself and a coworker in the files and determined that the information was detailed and accurate.

At this time, there is no way to know if your personal information was leaked by Deep Root. Perhaps the more troubling aspect is that a company could compile this data in the first place.