A political robocalling company called RoboCent exposed 4,500 client files to the open Internet by failing to properly configure its cloud storage on Amazon Web Services (AWS).
Those files, which were uploaded to the company’s AWS portal by campaign staffers working on behalf of political candidates across the United States, contained millions of records about individual U.S. voters.
Some of the files, which were primarily Excel spreadsheets, contained details about specific voters that went far beyond information that is publicly available through voter rolls compiled by state governments, which often include name, address, phone number, and party affiliation.
One spreadsheet described voters in the Bronx with labels such as “Fragile Families” and “Meager Metro Means.” Another estimated the net worth and annual income of individual Floridians. Others listed specific hobbies and interests for each voter, such as NASCAR, woodworking, and scuba diving. Several noted whether or not someone owned a gun.
The exposed files were being stored in the cloud and were publicly accessible, no password required, for an unknown period of time. They were grouped into two buckets on Amazon Simple Storage Service (s3), one of the products available through AWS.
Misconfigured cloud storage has led to the exposure of a staggering number of sensitive records in recent years. One report found that 102,431,953 files were mistakenly exposed on Amazon Simple Storage Service in just the first three months of 2018.
Last year, records concerning 1.8 million Chicago voters were freely accessible online due to misconfigured AWS storage, as was another batch describing 198 million U.S. voters. Large companies are also susceptible—FedEx, Verizon, and Time Warner (now called Spectrum) have all suffered data exposures due to improper AWS security settings in the past year.
Virginia-based RoboCent is one of several small U.S. companies that place robocalls and conduct polls on behalf of political campaigns. RoboCent advertises its automated services as “starting at 1 cent per dial.”
IEEE Spectrum received a tip about RoboCent’s exposed files from a cybersecurity specialist who wished to remain anonymous due to the nature of their work.
The first bucket contained “just over 2,600 files,” according to RoboCent cofounder Travis Trawick, and was independently discovered by security researcher Bob Diachenko, who disclosed it to the company on 15 July. That disclosure, and the company’s subsequent press release, concerned files located at robocent.s3.amazonaws.com.
In addition to spreadsheets, those files also included recordings of robocalls made by Republican and Democratic candidates and their staffers.
“I believe the public listing on the s3 bucket was turned on instead of turned off,” Trawick said. “It was, pretty honestly, a rookie mistake. We have figured that out and locked it down.” RoboCent has cycled through four developers in five years, he adds, each of whom held varying degrees of responsibility over the company’s data security.
In response to Diachenko’s disclosure, RoboCent said the “affected database was from 2013–2016” and called it “outdated.”
But a second bucket at robo-uploads.s3.amazonaws.com, which was not mentioned in the original disclosure, contained many files whose names suggest they were uploaded in June 2018.[shortcode ieee-pullquote quote=""It was, pretty honestly, a rookie mistake."" float="left" expand=1]
That bucket contained at least 1,903 files that were publicly available as recently as 16 July by directly navigating to URLs listed in a directory posted to Amazon Web Services.
Those spreadsheets contained data about voters from Alabama, Alaska, Hawaii, Illinois, California, Connecticut, Georgia, Massachusetts, Michigan, New Jersey, New York, North Carolina, Ohio, Pennsylvania, South Carolina, Florida, Utah, Tennessee, Texas, and Virginia.
An IEEE Spectrum analysis of 50 of the largest data files in that group showed that the files together contained more than 2.5 million voter records. The largest spreadsheet in the group held half a million records.
Many of the files in that second bucket contained inferences about voters’ finances, religious affiliations, personal interests and hobbies, and how they are likely to feel about issues such as abortion and health care reform.
Such data is compiled by companies, including Aristotle, Experian, Front Line Strategies, and Tridente Strategies, that help marketers and political organizations to target advertisements and campaigns. Political campaigns that purchased data from those companies would have uploaded it to RoboCent’s cloud storage in order to place automated calls to voters on each list.
One spreadsheet in the second bucket, for example, places 13,400 residents of the Bronx, New York, into subgroups such as Fragile Families that reflect categories described within Experian’s Mosaic service, which promises to help brands market to certain types of customers.
The Fragile Families group includes many recent immigrants who “admit they’re not good at saving money” and “spend above their income level,” according to a 2011 document [PDF] available on the website of MissionInsite, a company that uses Experian’s data to help churches and faith-based organizations tailor their ministries and outreach to specific groups of people.
Among them is a 52-year-old Hispanic man living in the Bronx who makes an estimated $44,000 a year and likely has a child at home. A model has calculated his total net worth to be less than $50,000 and determined that he is probably single.
Thanks to RoboCent, the spreadsheet containing his name, phone number, address, and Fragile Families designation was freely available on the Internet for anyone to download.
Another group listed on the same Bronx spreadsheet is Meager Metro Means. That group is made up of African-American singles who live in the inner city and have carved out “adequate lifestyles” despite “high unemployment.” According to the 2011 document, “fast food will do just fine” for these individuals, who are also said to be “too busy to take care of themselves.”[shortcode ieee-pullquote quote=""It seems like the company didn't understand the importance of data."" float="left" expand=1]
Experian did not respond to a request for comment about its Mosaic service.
Another spreadsheet from the second bucket contains more than 100 fields describing the personal and political interests of individual voters. With that spreadsheet, it’s possible to identify a 65-year-old married man of Romanian descent who likes to collect antiques and buy art, and is interested in domestic travel and aerobic exercise.
A different spreadsheet that was also in the second bucket and whose file name suggests it came from Tridente Strategies, lists 47,000 Floridians who are ages 65 and older and includes alphanumerical rankings for their income, wealth, and net worth along with the size of their household and how many lines of credit they currently have open.
When reached with questions concerning the second bucket, Trawick said, “I’ll definitely review that immediately. I have not been informed of that, I believe.”
Later, he said the second bucket was intentionally configured to grant access to anyone who had the URL for a specific file—no password necessary.
“If you already had access to those files, you would be able to access them from anywhere. And that’s intentional,” he said. “It’s configured so that you can access the files without needing to log in with a password.”
His statement contradicted the company’s press release about the first bucket, which said, “Our active data is properly secured and requires a password to access.”
Gail-Joon Ahn, a researcher who specializes in cloud security at Arizona State University, called RoboCent’s approach an “improper and misuse of [cloud] technology.”
“They are maintaining very valuable and critical and sensitive information in their bucket, but they didn’t use any shield, or any countermeasures at all,” he said. “It seems like the company didn’t understand the importance of data.”
RoboCent has now restricted access to both buckets, and Trawick says the company is in the process of moving all of its clients’ data to a more secure server. “We have no evidence to support the notion that any of the data was used inappropriately,” he adds.