Political robocall firm Robocent left hundreds of thousands of US voter records exposed on an online server without any password protection, security researchers have found. Kromtech Security researchers Bob Diachenko spotted the open AWS S3 bucket that contained 2594 listed files including spreadsheets and audio recordings for multiple political campaigns.
Diachenko took screenshots and posted them to a LinkedIn blog post on Wednesday.
“Robocent cloud storage, with 2594 listed files, was available for anybody on the internet searching for a ‘voters’ keyword, long before I have spotted it,” wrote Diachenko. "What's more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found."
The exposed repository contained audio files with prerecorded political messages for robocalls dials as well as voter data. The exposed data included voters' full names, home addresses, political affiliations, gender, phone numbers, age, birth year, jurisdiction breakdown based on district or zip code and other demographics like education, ethnicity and languages spoken.
The data also included several columns calculating a person's political leanings and how they may vote, like "weak Democrat", "hard Republican" or "swing" voter.
Diachenko noted that many of the files did not originate at Robocent but were aggregated from outside data firms like NationalBuilder.
According to its website, Robocent offers "reliable voter data" at just 3¢/record for "every need, whether it be for a new robocall or simply to update records for door knocking." It also provides robocalling services for political surveys and inquiries.
Diachenko contacted Robocent's lead developer to notify them of his findings. The S3 bucket has since been secured. In an email to Diachenko, the developer responded: "We're a small shop (I'm the only developer) so keeping track of everything can be tough."
Robocent co-founder Travis Trawick told ZDNet in a statement claimed the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He added that all the exposed data was publicly available information but noted that he will contact affected customers "if required by law."
It is not immediately clear how long the data was left exposed or if it has been previously accessed by malicious entities.
The exposure is the latest in a string of voter data breaches in recent years.
In 2015, a misconfigured database exposed voter registration information along with voter IDs, party affiliations and addresses of 191 million Americans. In 2016, the Republican Party of Iowa exposed voter information of nearly 2 million voters on an unencrypted database. In August 2017, over 1.8 million Chicago residents' personal data was exposed by voting machine supplier Election Systems & Software (ES&S).
Meanwhile, GOP-hired Deep Root Analytics exposed information on nearly 200 million US citizens - over 60% of the population - via a publicly accessible Amazon server in June last year.