Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server and was available for 12 days for anyone with the URL.
The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population. UpGuard cyber risk analyst Chris Vickery discovered Deep Root’s data online last week.
Deep Root Analytics, a conservative data firm that identifies audiences for political ads, confirmed ownership of the data to Gizmodo on Friday.
But wait, there's more...
Apart from personal details, the data also contained citizens' suspected religious affiliations, ethnicities and political biases, such as where they stood on controversial topics like gun control, the right to abortion and stem cell research.
This type of data can easily be used for nefarious purposes, from identity fraud to harassment or intimidation of people who hold an opposing political view.
Worst of all, this is a spear phishing gold mine!
Who got their hands on this data?
It's not clear. What we know for sure is that UpGard's Chris Vickery found it. Twelve days on the Internet is a very long time. Bad guys are scanning for misconfigured databases 24/7 so the chances are high.
In a statement, Deep Root founder Alex Lundry told Gizmodo, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.
First, deny everything...
Deep Root’s data was exposed after the company updated its security settings on June 1, Lundry said. Deep Root has retained Stroz Friedberg, a cybersecurity and digital forensics firm, to investigate. “Based on the information we have gathered thus far, we do not believe that our systems have been hacked,” Lundry added.
Yeah, right. First, you deny everything. Later, bit by bit, the truth comes out. For the moment, should to assume the data was breached.
I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:
"Voter data on 198 million (yes that's million) US Citizens was improperly stored and freely available for 12 days on the internet. There has never been a data breach this big. The information includes birthdates, home addresses, telephone numbers, political views, suspected religious affiliations, ethnicities, where they stood on topics like gun control, the right to abortion and stem cell research.
This type of data can easily be used for nefarious purposes, from identity fraud to harassment or intimidation of people who hold an opposing political view. Worst of all, if bad guys have gotten hold of this data, they can send highly personalized phishing attacks to you, looking like something totally legit.
At this point, from here on out, treat any email you get at the house or the office with a healthy dose of suspicion and ask yourself if it could be a scam. Do not click on links in emails and do not open attachments you did not ask for. Also, be careful with robocalls, and phone scammers that seem to know a lot about you. Remember, Think Before You Click!
Obviously, an end-user who was trained to spot social engineering red flags like this would think before they click.
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://info.knowbe4.com/kmsat_get_a_quote_now
Let's stay safe out there.
Warm regards,
Stu Sjouwerman,
Founder and CEO, KnowBe4, Inc