In one of the most ironic data breaches of its kind, a security update by Deep Roots Analytics caused almost 200 million voters to have their personal data exposed for no less than 14 days.
On June 1, 2017 Deep Roots Analytics, the data firm hired by the Republican National Convention to gather and the personal data of millions of Americans, updated their security settings. Over a week later, Chris Vickey, a cyber-risk analyst with UpGuard, discovered and reported the breach.
Data Breach Issue and Risk
The data breach involved the ability for anyone with a link to the access site to be able to enter and gather data — no password or any other verification involved. All they had to do was click on one link and gain access to almost 200 million American voters’ personal information. The breach stood for two weeks after it was discovered, before the system was secured.
There are several risks involved here. Deep Roots gathers information such as names, phone numbers, addresses and dates of birth, but it also gathers information about your opinions concerning controversial topics. In the hands of the Republican National Convention, the information is used for marketing purposes. In the hands of a hacker, well, there is no end to what it can be used for.
A spokesperson for Deep Roots has said there is no evidence that anyone hacked the system or even entered it between the first and the fourteenth, other than Chris Vickey, who discovered the breach on the twelfth.
“Based on the information we have gathered thus far, we do not believe that our systems have been hacked.”
There are a lot of glaring issues that aren’t being addressed here. Topping the list is the question of just how or why a data firm with access to almost 200 million voters’ personal information was securing that data about as well as a group of friends sharing Google documents.
Another problem is they “don’t believe” the system was hacked. For a company that revolves around data, metrics, and securing information, Americans should be able to expect a firmer response than that. As in, in the form of a hard “no” or numbers like “0” when it comes to how much information was seen or taken by hackers.
Finally, what are Americans supposed to do if and when the results of this data breach land in their emptied bank accounts or robbed homes? We suggest you keep a closer eye than usual on all your financial assets, and consider beefing up your own security.
The Deep Roots server is now secured, and the protocol for accessing the information has been updated, but the whole issue seems to have been handled poorly and one has to wonder how long it takes for data companies like this to not just secure information, but warn Americans when a security issue is discovered.