Information about 191 million registered voters was left exposed on the Internet, raising new questions about the security chops of political campaigns who increasingly hold large caches of data about Americans.
The leak appeared to be the result of a technical error that allowed the information to be publicly accessed online, not a hack. It was uncovered by Austin, TX-based security researcher Chris Vickery who brought his findings to Databreaches.net and the cybersecurity blog Salted Hash. Those sites said it remains unclear who controls the database.
"I wouldn't have been too surprised to see a county or so worth of data exposed. But to see every registered voter in the US all together was very surprising, I was shocked," said Vickery.
The leaked data contains a slew of information about Americans who are registered to vote, including their full name, home address, mailing address, date of birth, phone number, political affiliation, emails and details about if they had voted in each election going back to 2000.
Much of this information is public record and a variety of companies sell political campaigns databases that combine the information so they can target their outreach. But some states have different restrictions on how the information may be disclosed or how it can be used.
South Dakota, for instance, makes people requesting voter file data to agree the information "may not be placed for unrestricted access on the internet."
Vickery and Databreaches.net's initial investigation pointed to Nation Builder, digital campaigning platform, as a possible source of the information based on some of the labels within the database. But in a statement, Nation Builder chief executive Jim Gilliam, said the company did not control the database, although it was possible that some of the information it contained may have come from data it makes freely available to campaigns.
"We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws," he said.
So far, no one has come forward to claim the database, and Databreaches.net reports it is no longer available online. The site says it and Vickery reported the database leak to the FBI's New York field office and other authorities including the California Attorney General’s Office.
The database did not include things like social security numbers or financial data. But because the information was openly available online, it could potentially be used for commercial purposes beyond what the laws in some states allow -- or by scammers hoping to use to information about things like political affiliation to help inform their schemes, privacy advocates said.
They added that the next breach of political data may be more damaging because campaigns are increasingly mixing traditional voter file information with data culled from consumer data brokers and other sources.
"They're gathering more and more data and we're not seeing a parallel investment in security," said Jeffrey Chester, the executive director of the Center for Digital Democracy. "It's a disaster waiting to happen."
This post has been updated to include comment from Vickery.