A data-analytics firm hired by the Republican National Committee last year to gather political information about US voters accidentally leaked the sensitive personal details of roughly 198 million citizens earlier this month. And it’s now facing its first class-action lawsuit.
Deep Root Analytics, a data firm contracted by the RNC, stored details of about 61% of the US population on an Amazon cloud server without password protection for roughly two weeks before it was discovered by security researcher Chris Vickery on June 12.
The class-action lawsuit, filed by James and Linda McAleer of Florida and all others similarly situated, alleges Deep Root failed to “secure and safeguard the public’s personally identifiable information such as names, addresses, email addresses, telephone numbers, dates of birth, reddit.com browsing history, and voter ID number, which Deep Root collected from many sources, including the Republican National Committee.”
The data exposed by Deep Root included 1.1 terabytes “of entirely unsecured personal information” compiled by Deep Root and at least two other Republican contractors, TargetPoint Consulting, Inc., and Data Trust, according to an analysis from the cybersecurity firm UpGuard.
“In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as ‘modeled’ voter ethnicities and religions,” UpGuard said.
The lawsuit says that President Donald Trump “is on record denouncing these sorts of breaches as ‘gross negligence.'”
It says that “as a direct and proximite cause of Deep Root’s conduct,” those exposed in the data breach may be vulnerable to identity theft and “a loss of privacy,” and argue that the “actual damages” exceed $5 million.
The exposed information did not include highly sensitive information like Social Security numbers, and much of it was publicly available voter-registration data provided by state government officials, a company spokesman told Business Insider on Tuesday.
“Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Deep Root said in a statement. “We take full responsibility for this situation.”
Deep Root didn’t immediately respond to a request for comment Wednesday.
But the exposed database combined people’s personal information and political inclinations – including proprietary information gathered via predictive modeling tools – to create a detailed profile of nearly 200 million Americans that would be a “gold mine” for anyone looking to target and manipulate voters, said Archie Agarwal, the founder of the cybersecurity firm ThreatModeler.
“This is the mother lode of all leaks,” Agarwal said Monday. “Governments are made or broken on this. I don’t even have the words to describe it.”
Joe Loomis, the founder and chief technology officer at the cybersecurity firm CyberSponse, predicted that a series of lawsuits against Deep Root over the accidental leak would prove damaging.
“Even if it was human error and not intentional, one IT person is probably going to put this company out of business,” he said.