Extracted information from Amazon S3 Bucket
Information security and enterprise data protection services experts warn that the firm RoboCent, specialized in making automatic phone calls to voters, left online by mistake almost 3K files containing detailed data about voters in Virginia. Data was stored in an Amazon S3 bucket that did not require authentication.
The data was discovered using an online search tool developed by a site called Grayhatwarfare and is designed to index the open segments of S3. Experts in enterprise data protection services notified RoboCent, the firm has already secured the data.
RoboCent offers several robocalling (automatic call) services for political campaigns. The company has a detailed menu of its price levels based, for example, on the number of calls that are required per campaign, whether they are doing polls, and if they want to leave a voice message.
Although it has not been issued an official statement, experts in enterprise data protection services report having established contact with a RoboCent developer, who mentions that, as they are a small company, it’s difficult to keep track of all the information that the company works with.
Information security experts and Amazon, emphasize the danger of not properly securing the Amazon S3 Bucket. Over the years, researchers have found large amounts of personal data improperly stored in these repositories.
Even so, cloud storage providers can only recommend better practices, as specialists in enterprise data protection services claim that if the information had been encrypted, it would not have been found; the final users are responsible for protecting their data, not the service provider.
Low risk leaks
Many US voters’ data have been exposed in other leaks but it is still questionable whether RoboCent’s data management policy significantly increased leaking likelihood.
Last year, information security researchers found 198 million of voter registration records online, including names, birthdates, addresses, and phone numbers. The data, which came from the Deep Root Analytics, were exposed for about two weeks after the company made a mistake changing the access control settings.
Theft data includes parts of the usual information that the states record as part of voters’ registration: full name, address, birthday. RoboCent data also contains email addresses and phone numbers. It also contains information on political affiliation based on voting trends past elections. It also contained demographic data based on ethnicity, language, and education.
Many voter data is public
The laws in the 50 US states vary in terms of access and use of voter registration data. Except for 11 states, all others allow some range of public access to electoral records. However, all states allow political parties and candidates to have access to voter registrations.
According to experts in enterprise data protection services, companies like NationBuilder collect this information for all the United States. In the case of the state of Virginia, apparently this type of data is compiled by different marketing companies.
Like other states, Virginia offers an online tool that allows people to check if they are registered as voters. The authentication process, however, is flimsy in terms of security. Those interested in verifying their registration need to provide full name, date of birth, precinct and the last four digits of their social security numbers.
Information security experts believe that social security numbers are insufficient for authentication, as they are some of the easiest data to buy in clandestine personal data online forums.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.