Hundreds of thousands of voter records exposed on misconfigured server, researcher says
Yet another misconfigured Amazon S3 bucket has exposed the sensitive information of unsuspecting people.
This time, hundreds of thousands of voters’ information was left open for the taking by a Virginia robocalling firm called RoboCent, according to Bob Diachenko, a security researcher at cybersecurity firm Kromtech.
Diachenko wrote in a LinkedIn blog post Wednesday that he discovered a trove of about 26,000 files, including audio files with pre-recorded political messages and spreadsheets containing voter information, in the leaky server.
The voter data, according to Diachenko, includes names, phone numbers, addresses, political affiliations, birth dates, genders, jurisdictions and some demographic information.
The RoboCent files were accessible to anyone who did a specialized web search for “voters,” said Diachenko.
By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets.
Diachenko says he disclosed the finding to RoboCent and a developer with the company who quickly secured the bucket. The data also appears to no longer be available on GrayhatWarfare.
According to its website, RoboCent offers a number of services to help organizations target voters, including voter turnout records as well as automated calling. One record goes for 3 cents.
Much of the voter data that was found exposed is already public information. State governments often make voter rolls available by request to journalists, researchers and political organizations. In some cases, they can be freely downloaded online.
The RoboCent case is the latest in a series of incidents that shows how a simple server misconfiguration can leave voters’ personal information open for anyone.
A set of 191 million voter records was found exposed in 2015 and another set of 198 million records was discovered last year. Also, the American Civil Liberties Union is suing the Kansas secretary of state for allegedly exposing voter data, including partial Social Security Numbers, used in a program aiming to detect voter fraud.
ZDNet first reported the discovery by Kromtech.