198 Million Americans Hit by “Largest Ever” Voter Records Leak

[Megalith]

Are you a registered voter? Bad news for you, then: a careless data firm has probably leaked your personal information. Apparently, the data measures 1.1TB in size and includes names, home addresses, phone numbers, and dates of birth. Statements suggest that the sensitive data was left unchecked and accessible due to an incorrect server setting. I could swear that there is a ton of voter information already floating around on the web, though...

It's believed to be the largest ever known exposure of voter information to date. The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication.

 

[Darunion]

oh ffs....

 

[Seventyfive]

Simple fix for this kind of thing is that if the company was negligent, every officer in the company can be charged with a felony in criminal court and face a minimum of 10 years in prison. Guarantee all of a sudden people would double and triple check the settings. It's one thing to get hacked, it's another thing to just Chmod 777 every fucking file on a server.

 

[Darunion]

Simple fix for this kind of thing is that if the company was negligent, every officer in the company can be charged with a felony in criminal court and face a minimum of 10 years in prison. Guarantee all of a sudden people would double and triple check the settings. It's one thing to get hacked, it's another thing to just Chmod 777 every fucking file on a server.

But what will happen is this will end up on a torrent somewhere, that if you download the torrent you will be charged, not the ones responsible for leaving it open originally.

 

[Seventyfive]

But what will happen is this will end up on a torrent somewhere, that if you download the torrent you will be charged, not the ones responsible for leaving it open originally.

Only if someone completely and intentionally misconstrues what I say in order to make some bizarre talking point

 

[Darunion]

Only if someone completely and intentionally misconstrues what I say in order to make some bizarre talking point

Wait...what?

 

[M76]

Embrace the cloud.... because only then can your sensitive data be accessible by anyone by a single mistake.

 

[Seventyfive]

Wait...what?

I'm saying that we need a law that holds the executives of these companies criminally liable. I don't know why the offshoot of that law would be that we start holding regular people, who are completely unrelated, criminally liable as well.

 

[Lakados]

See if you hand it over to the Russians directly it is espionage, if you accidentally leave it in an unsecured place and it is "Hacked" it is an insurance claim and a little bit of paperwork.

 

[Darunion]

I'm saying that we need a law that holds the executives of these companies criminally liable. I don't know why the offshoot of that law would be that we start holding regular people, who are completely unrelated, criminally liable as well.

Oh okay, I understand now. I completely agree, my talking point really was that I don't feel it actually will go that way (especially in this case) and it would more likely create a secondary legal trap. Where the people responsible for leaving the data available would not be held liable, but only the person who downloaded the data and anyone that touched it thereafter would be.

Some level of certification required for different degrees of data storage (can be a long debate on the logistics of that) and if you handle said data without maintaining up to date certs that require audits, you are fined and held liable for any breach.

 

[otherweeb]

I'm saying that we need a law that holds the executives of these companies criminally liable. I don't know why the offshoot of that law would be that we start holding regular people, who are completely unrelated, criminally liable as well.

Pretty sure you can't pass a law to punish something that happened before that law.

 

[Vercinaigh]

Pretty sure you can't pass a law to punish something that happened before that law.

Called future protection, he said nothing about timeline, he said in general, and he's not wrong, people in the industry are lazy, seen it time and again.

 

[Seventyfive]

Pretty sure you can't pass a law to punish something that happened before that law.

Correct, that would be ex post facto. But we could make a law to help prevent this thing from happening in the future.

 

[Seventyfive]

Oh okay, I understand now. I completely agree, my talking point really was that I don't feel it actually will go that way (especially in this case) and it would more likely create a secondary legal trap. Where the people responsible for leaving the data available would not be held liable, but only the person who downloaded the data and anyone that touched it thereafter would be.

Some level of certification required for different degrees of data storage (can be a long debate on the logistics of that) and if you handle said data without maintaining up to date certs that require audits, you are fined and held liable for any breach.

Got it. So we are on the same page, just a miscommunication. I agree that, in this particular case, random people who even look at the data to see if they were in the list might get prosecuted while the company gets off scott free.

Also agree with the idea that there need to be standards and people need to be held to them. I also was just trying to add that we need to hold more than the company liable. If someone at the company felt they could actually personally go to jail, they would take it much more serious than "oh the company gets a fine, well it's not my money, i don't care".

 

[doz]

Fuck, now I will have to listen to my union bitch about how I voted for Trump.

 

[Deleted member 245375]

This didn't happen by accident.

</dons_flame_retardant_exoskeleton>

 

[Darunion]

Got it. So we are on the same page, just a miscommunication. I agree that, in this particular case, random people who even look at the data to see if they were in the list might get prosecuted while the company gets off scott free.

Also agree with the idea that there need to be standards and people need to be held to them. I also was just trying to add that we need to hold more than the company liable. If someone at the company felt they could actually personally go to jail, they would take it much more serious than "oh the company gets a fine, well it's not my money, i don't care".

Good point.

When I was working long ago in electronic assembly, I had to build some products to be sold to the US Navy. Shipped with each product I had to provide my full name and signature and date confirming that I tested this product (as per their requirement). They did not want the company's name, they wanted the individual to state that. Kind of adds a degree of pressure, so I like the idea. You really don't sit and talk to someone while testing these, you really pay attention lol.

Personal accountability seems to be sliding away from us all.

 

[AaronGant]

so is there somewhere I can see if there is information and/or what was collected about me? Apparently it was leaked to the world, I might as well take a look at what they think about me.

 

[Gigus Fire]

so it's a mailing address/phone information? It's not as if people don't already get trash in the mail and calls at home, therefore databases with this information already exists out in the wild.

 

[Lakados]

so it's a mailing address/phone information? It's not as if people don't already get trash in the mail and calls at home, therefore databases with this information already exists out in the wild.

It also contains pretty detailed information on demographics, who you are likely to vote for and why based on your job, where you live, who you associate with, and your estimated income and debt levels, as well as how you are likely to side on hot button issues like abortion, stem cell research, and other such things. This was not a simple list. The data leaked contained aggregated data pulled from over 2 dozen different sources.

 

[Seventyfive]

Good point.

When I was working long ago in electronic assembly, I had to build some products to be sold to the US Navy. Shipped with each product I had to provide my full name and signature and date confirming that I tested this product (as per their requirement). They did not want the company's name, they wanted the individual to state that. Kind of adds a degree of pressure, so I like the idea. You really don't sit and talk to someone while testing these, you really pay attention lol.

Personal accountability seems to be sliding away from us all.

100% this exactly. Similar to how SOX in 2002 made the CEO and CFO personally sign the 10K that a company files every year. I want someone to personally put their signature on stuff and say "Yes I reviewed our server and if I'm wrong or lying, put me in jail".

Also totally agree personal responsibility seems to be a fading virtue.

 

[raz-0]

See if you hand it over to the Russians directly it is espionage, if you accidentally leave it in an unsecured place and it is "Hacked" it is an insurance claim and a little bit of paperwork.

It's some very low grade PII first, last, DOB and a bunch of big data analytics values.

The first part is already publicly accessible if you pay the fees. It's not espionage. It's not really much of a data leak either at this point.

As for the analytics. Maybe they are right, maybe not. That's mostly a loss of value to the company selling the analytic service.

Bad security, but I'm more pissed at chipotle, target, home depot, adobe, etc. than this in terms of content.

 

[Galvin]

In before someone gets fired based on this leaked data

Should of just blamed the russians, people would of believe it

 

[Lakados]

It's some very low grade PII first, last, DOB and a bunch of big data analytics values.

The first part is already publicly accessible if you pay the fees. It's not espionage. It's not really much of a data leak either at this point.

As for the analytics. Maybe they are right, maybe not. That's mostly a loss of value to the company selling the analytic service.

Bad security, but I'm more pissed at chipotle, target, home depot, adobe, etc. than this in terms of content.

Have you actually looked at the content yet...... Because it contains a lot of personal data not just the basic stuff these people crunched a lot of data and combined a lot of anonymous data from a lot of different sources which combined together to be very focused and specific.

 

[TwistedAegis]

In before someone gets fired based on this leaked data

Should of just blamed the russians, people would of believe it

That's the problem though, these "companies" in many cases are spun up just for a campaign, and wind down after the campaign - the focus is speed, efficiency and cost - so it's a terrible set of incentives to ignore anything that might have long-term implications or require building more robust systems.

 

[Lakados]

That's the problem though, these "companies" in many cases are spun up just for a campaign, and wind down after the campaign - the focus is speed, efficiency and cost - so it's a terrible set of incentives to ignore anything that might have long-term implications or require building more robust systems.

Yeah the company has long since been paid, most of the staff have moved on and all that is really left is a shell and an owner who didn't do any of the actual work and isn't liable for the misconduct or bad practices of former employees as they no longer work there. The best they could do at this point is reprimand the person responsible for placing the data there but they don't know who it was so nobody is at fault.

 

[jnemesh]

Dont worry, this particular breach is on the GOP...if you aren't an idiot, you arent affected.

 

[scojer]

Dont worry, this particular breach is on the GOP...if you aren't an idiot, you arent affected.

No, according to the article:
"The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics."

They OWNED the server, but, this is records from all parties.

 

[jnemesh]

No, according to the article:
"The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics."

They OWNED the server, but, this is records from all parties.

My bad, another article I read seemed to say that it was only GOP voter info that was compromised.

 

[lironmiron]

The most important thing now is that all the entities, especially banks, that use date of birth or billing address as a form of authentication for over-the-phone inquiries or password retrieval have to disable and change that immediately.

 

[RevPuk]

Um, isn't voter registration public domain anyways? May not be everywhere, but I know it can be looked up on the county websites in Ohio.

 

[scojer]

My bad, another article I read seemed to say that it was only GOP voter info that was compromised.

It's all good. For the record, I'm not GOP. I'm pissed that this happened. Explains the spam calls I've been getting.

 

[Wiffle]

Its a good thing Im not registered to vote, and never have been...

http://www.sacbee.com/news/politics-government/capitol-alert/article38684598.html

And looks like im gonna have to watch out when I renew my driver's license as well.

The fact that these political parties are keeping this kind of information is disturbing on all levels. Any claim that this helps them reach their target voters is bogus, they use this data to identify certain phrases and talking points that will strike a chord with certain demographics. Its targeted political manipulation. Its why your mailbox gets stuffed full of ranting political mail and male enhancement ads. You best believe these political parties have been selling your information... jet fuel is pricey. Since voting is all done electronically now, they also know who you voted for.

BTW the largest voting demographic in this country is old white women. They have been voting dutifully in every federal, state, and local election since women were allowed to vote. They have all out lived their husbands, and are living off of retirement, social security, welfare, personal wealth etc. so they don't work, have nothing but time on their hands and money with nowhere to spend it. So they donate to their favorite charities or political party, or anyone else with their hand out. They still believe every piece of mail, news story, wives tale is the truth. A highly manipulable demographic to say the least. Their candidate of choice: an old white man with money. Worst possible candidate: a fellow white hussie who can't keep her husband's shit in check. Obama got voted in because he looks like Denzel Washington. Old white ladies love them some Denzel.

That's just my own smelly opinion.

 

[Gigus Fire]

Its a good thing Im not registered to vote, and never have been...

http://www.sacbee.com/news/politics-government/capitol-alert/article38684598.html

And looks like im gonna have to watch out when I renew my driver's license as well.

The fact that these political parties are keeping this kind of information is disturbing on all levels. Any claim that this helps them reach their target voters is bogus, they use this data to identify certain phrases and talking points that will strike a chord with certain demographics. Its targeted political manipulation. Its why your mailbox gets stuffed full of ranting political mail and male enhancement ads. You best believe these political parties have been selling your information... jet fuel is pricey. Since voting is all done electronically now, they also know who you voted for.

BTW the largest voting demographic in this country is old white women. They have been voting dutifully in every federal, state, and local election since women were allowed to vote. They have all out lived their husbands, and are living off of retirement, social security, welfare, personal wealth etc. so they don't work, have nothing but time on their hands and money with nowhere to spend it. So they donate to their favorite charities or political party, or anyone else with their hand out. They still believe every piece of mail, news story, wives tale is the truth. A highly manipulable demographic to say the least. Their candidate of choice: an old white man with money. Worst possible candidate: a fellow white hussie who can't keep her husband's shit in check. Obama got voted in because he looks like Denzel Washington. Old white ladies love them some Denzel.

That's just my own smelly opinion.

Just tell them the wrong information.
Nothing says waste of money better.

 

[TwistedAegis]

Um, isn't voter registration public domain anyways? May not be everywhere, but I know it can be looked up on the county websites in Ohio.

This is voter registration paired with DOB, address, implied religion, ethnicity, and probability of the importance of numerous issues to you.

The weird part of it to me is all the Reddit post data in there, were they actually posting/astroturfing, or did they simply siphon up the data to analyze it? They had a substantial number of posts saved from r/fatpeoplehate or whatever it was called.

 

[lcpiper]

I'm saying that we need a law that holds the executives of these companies criminally liable. I don't know why the offshoot of that law would be that we start holding regular people, who are completely unrelated, criminally liable as well.

The problem here is that you are going to hold them responsible by virtue of position and not by virtue of deed. Tough to do as a criminal charge.

 

[lcpiper]

Its a good thing Im not registered to vote, and never have been...

http://www.sacbee.com/news/politics-government/capitol-alert/article38684598.html

And looks like im gonna have to watch out when I renew my driver's license as well.

The fact that these political parties are keeping this kind of information is disturbing on all levels. Any claim that this helps them reach their target voters is bogus, they use this data to identify certain phrases and talking points that will strike a chord with certain demographics. Its targeted political manipulation. Its why your mailbox gets stuffed full of ranting political mail and male enhancement ads. You best believe these political parties have been selling your information... jet fuel is pricey. Since voting is all done electronically now, they also know who you voted for.

BTW the largest voting demographic in this country is old white women. They have been voting dutifully in every federal, state, and local election since women were allowed to vote. They have all out lived their husbands, and are living off of retirement, social security, welfare, personal wealth etc. so they don't work, have nothing but time on their hands and money with nowhere to spend it. So they donate to their favorite charities or political party, or anyone else with their hand out. They still believe every piece of mail, news story, wives tale is the truth. A highly manipulable demographic to say the least. Their candidate of choice: an old white man with money. Worst possible candidate: a fellow white hussie who can't keep her husband's shit in check. Obama got voted in because he looks like Denzel Washington. Old white ladies love them some Denzel.

That's just my own smelly opinion.

Well, your candor is refreshing

 

[Seventyfive]

The problem here is that you are going to hold them responsible by virtue of position and not by virtue of deed. Tough to do as a criminal charge.

The point is that they are ultimately responsible since whoever actually did the deed reports to them. So the tone set from the top needs to be "get it right". For example, CFO of DVI got sentenced 30 months in jail and $51m of restitution partially for knowingly signing false financial statements.

 

[Uvaman2]

Russians... Russians everywhere.
In other news my power went out..... Russians?

 

[lcpiper]

The point is that they are ultimately responsible since whoever actually did the deed reports to them. So the tone set from the top needs to be "get it right". For example, CFO of DVI got sentenced 30 months in jail and $51m of restitution partially for knowingly signing false financial statements.

There is a problem with your reasoning. The company as an entity is responsible, not the individuals who operate it. Legally there is a shield here and although some acts committed by employees of a business can in fact be criminally charged, like violating HIPAA rules, they are few and they are very specific. If an individual employee fails to safeguard HIPAA information then the company can face civil charges but only the individual's directly involved can face criminal charges.

Your example is perfect though you don't realize it. As you stated, the CFO of DVI "knowingly signed false financial statements", his own actions. It's not the same as simply being the guy at the helm when an employee fucked up a security setting allowing a breach.