More voter data exposed via cloud misconfiguration
- By Sara Friedman
A misconfigured Amazon S3 bucket used by RoboCent, a Virginia-based campaign and robocalling company, left hundreds of thousands of voter records exposed on a public cloud.
RoboCent’s Amazon S3 bucket contained 2,594 listed files containing pre-recorded messages for robocalls and voter data for several campaigns that included names, phone numbers, addresses, political affiliation, age and demographics, according to Bob Diachenko, a security researcher at cybersecurity firm Kromtech. Diachenko wrote about finding RoboCent’s open Amazon S3 bucket in a LinkedIn blog post on July 18.
RoboCent co-founder Travis Trawick told ZDNet that the data was from an old bucket used from 2013 to 2016. It was indexed on GreyhatWarfare, a searchable database of open S3 buckets.
This is not the first instance of voter data being stored in the cloud unprotected. In June 2017 a security researcher found that an improperly configured Amazon S3 security setting exposed a database compiled by Deep Root Analytics containing the birth dates, addresses, voter registration details and social media posts of 198 million voters. In August of that same year, Election Systems & Software, a voting software and election management company, exposed records of 1.8 million Chicago voters because of a misconfiguration of a security setting on yet another Amazon S3 storage bucket.
This exposure of voter data also comes on the heels of other election security vulnerability disclosures. Earlier this week, ES&S admitted that it had installed remote-access software on a “small number” of election management systems sold from 2000 to 2006.