Thousands of U.S. Voter Personal Records Leaked by Robocall Firm

Researchers have discovered yet another misconfigured repository bucket – this time leaking the information of U.S. voters.

The information was exposed on a public Amazon S3 bucket by a Virginia-based political campaign and robocalling company called Robocent.

Kromtech Security researchers, who disclosed the bucket Wednesday, said the data was available for anybody on the internet searching for a “voters” keyword. Disturbingly, the Robocent data was found as a self-titled bucket indexed by GrayhatWarfare, a searchable database – where a current list of 48,623 open S3 buckets can be found, they said.

“I’m almost sure that the data was accessed, since it was practically available for search (I found it by entering search query ‘voters’ in [GrayhatWarfare]),” Bob Diachenko, head of communications at Kromtech Security, told Threatpost in an email. “There has been no indication on how long this was open. But I assume long enough – for tools like GrayHatWarfare to index and list it.”

The bucket contained almost 2,600 files – including audio files with pre-recorded political messages for robocalls, and voter data. That data included full names, phone numbers, full addresses, age and birth year, gender and jurisdiction breakdown.

Demographic data, including ethnicity and political affiliation (provided by state or inferred based on voting trends), were also included.

Kromtech Security sent a responsible disclosure to Robocent, who quickly secured the bucket and accessible files. Robocent, which sells voter data for 3 cents per record, did not immediately respond to a request for comment from Threatpost.

According to Diachenko, when he got in touch with Robocent, the company’s developer explained: “We’re a small shop (I’m the only developer), so keeping track of everything can be tough.”

Francis Dinha, CEO of OpenVPN, told Threatpost that this “is no excuse at all.” However, “privacy, especially when dealing with such sensitive information, is absolutely paramount,” he said. “All online information should only be available on a need-to-know basis.”

Leaky cloud storage buckets are all too common nowadays, and voter databases have also been caught up in these types of exposures over the past year as well. In January and February, for instance, a  MongoDB exposed California voter data, meaning that anybody with access to the internet could have accessed the database without a password or login credentials.

Jessica Ortega, security research analyst at SiteLock, said that taking proactive steps to ensure that sensitive data hosted on cloud storage platforms is secured can easily prevent these types of incidents from happening.

“Today’s data exposure appears to be the result of a misconfigured Amazon S3 bucket,” she told Threatpost. “In this case, it appears that Robocent… configured a database storing private voter registration records to be publicly accessible. Amazon offers several ways to secure data stored on S3 buckets, most importantly updating the privacy settings to ensure that files are not publicly accessible -this should be set to private by default. Developers utilizing S3 buckets to store files can also implement encryption and access logging to monitor access to files within the bucket.”