A marketing firm once contracted by the Republican National Committee exposed personal data including birth dates, emails, physical addresses, religion, race, and political leanings for more than half the U.S. population.
According to a Gizmodo report, the RNC and other GOP organizations contracted the conservative firm Deep Root Analytics to gather audience data from multiple sources, such as Republican super PACs and Reddit, that were intended to be used for targeted political ads. That aggregated data was found on an insecure server that wasn’t password protected and could be accessed by anyone with the URL.
Cybersecurity analyst Chris Vickery with UpGuard found more than a terabyte of data Deep Root had gathered from multiple Republican-linked sources on an Amazon cloud server, along with other data — some proprietary — from several millions of dollars worth of GOP contracts, including the GOP Data Trust, Gizmodo reported.
Deep Root claims the company wasn’t hacked and the data exposure was the result of a vulnerability in a recent security update. Vickery also discovered a trove of voter data belonging to 191 million people in 2015.
Cybersecurity problems aren’t party loyal, but this is the second GOP-related breach of voter files. In 2015, presidential hopeful Jeb Bush accidentally released hundreds of thousands of voter emails, many of which contained private data, such as emails, social security numbers, and home addresses.
But Deep Root’s breach sheds light on more than just the importance of cybersecurity — it also gives a glimpse into how Republicans are using data to gain and hold political ground.
As Gizmodo reported, the data Deep Root collected wasn’t for a specific client but rather a “proprietary analysis to help inform local television ad buying.” Combined with data from several Republican organizations stored on Deep Root’s servers, it’s safe to say that targeted ads are a major function of the Right’s political strategy.
Deep Root’s founding data scientist Alex Lundry used to work on Jeb Bush’s and Mitt Romney’s campaigns, and the company was one of three to work on President Donald Trump’s presidential campaign. Among the personal contact information found on the insecure server were how individual voters felt about certain hot button issues such as stem cell research, gun ownership, and abortion.
The exposed data poses a privacy threat for voters, especially if it gets in the wrong hands before a security patch is released.
“This is valuable for people who have nefarious purposes,” the Center for Democracy and Technology’s chief technologist, Joseph Lorenzo Hall, told Gizmodo.
Moreover, there’s no way to force campaigns and their contractors to do a better job securing the data they collect.
“Campaigns are very narrowly focused. They are shoestring operations, even presidential campaigns. So they don’t think of this as an asset they need to protect,” Hall said.
“I can think of no avenues for punishing political data breaches or otherwise properly aligning the incentives. I worry that if there’s no way to punish campaigns for leaking this stuff, it’s going to continue to happen until something bad happens.”