Personal information belonging to 198 million American voters was exposed for more than week this month, publicly accessible from a "misconfigured database" — if you knew where to look.
The data, which came from a variety of sources, was collated by a data analytics firm called Deep Root Analytics. The company was hired by the Republican National Committee (RNC) in the run-up to the 2016 U.S. presidential election to provide insights on American voters and their feelings towards important campaign issues.
It included "names, dates of birth, home addresses, phone numbers, and voter registration details," plus best guesses at voter ethnicities and religious beliefs, according to the cybersecurity firm UpGuard, which discovered the exposed data, and detailed its investigation in a blog post on its website.
"That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling," read the post, which called the discovery "perhaps the largest known exposure of voter information in history."
Gizmodo, which was one of the first outlets to report the exposed data Monday morning, confirmed that Deep Root Analytics owned the server which stored the data.
"We take full responsibility for this situation," Deep Root co-founder Alex Lundry told Gizmodo in a statement.
Lundry co-founded Deep Root in 2013, after working as the director of data science on Mitt Romney's failed 2012 U.S. presidential campaign.
- Here's why reports of data breaches will skyrocket this year
- Should the federal government have to report breaches too?
- Malicious hackers say they demanded $50,000 ransom for stolen Bell data
More than a terabyte of information was publicly accessible. The data was stored on an Amazon server that had not been properly secured, and also contained personal information collated by at least two additional companies, in addition to the information collected by Deep Root.
According to Gizmodo, the server was accessbile for 12 days before it was discovered and reported by UpGuard cyber risk analyst Chris Vickery. Deep Root secured the server two days later.
Vickery had previously discovered another publicly accessible database of 191 million voter records in 2015, using similar techniques.