Robocalling Firm Exposes U.S. Voter Records
22.7.18 securityweek BigBrothers
A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.
Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.
Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”
“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.
The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).
More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.
Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.
Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.
In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.
“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.
According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.
“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.
Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.