A Virginia-based political robocall firm reportedly left thousands of U.S. voter records exposed on an online server, including personally identifiable information.
Robocent had stored voters’ full names, phone numbers, addresses, political affiliations, as well as age and gender on a public Amazon S3 bucket without any password protection, according to Kromtech Security’s Bob Diachenko.
Diachenko, who discovered the unprotected data, took screenshots and posted them to a LinkedIn blog post. {mosads}
“Robocent cloud storage, with 2594 listed files, was available for anybody on the internet searching for a ‘voters’ keyword, long before I have spotted it,” wrote Diachenko.
“What’s more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found,” he added.
Robocent markets itself as having “reliable voter data” for just 3 cents per record as well as the ability to “reach thousands of voters instantly with robocalls,” according to its website.
“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” the website reads.
Diachenko contacted the company’s lead developer to notify them of his findings.
“We’re a small shop (I’m the only developer) so keeping track of everything can be tough,” the developer wrote to Diachenko after he alerted him, according to the blog post.
Robocent co-founder Travis Trawick in an emailed statement told The Hill the data has since been secured and that their “active data” is properly secured.
Trawick also downplayed the breach, stating that “no customer information beyond the name of their campaign was released in the data exposure.”
“We have no evidence to support that this data has been accessed by any third parties for inappropriate use. The affected data is a very small portion of the full data that is housed by RoboCent,” Trawick continued.
He said the company, however, is going through the process of notifying the affected customers as well as determining how to properly report this breach to the authorities.
While it is unclear how long the data remained available online, Trawick said the data was from “an old bucket from 2013-2016 that hasn’t been used in the past two years.”
The Robocent exposure is the latest in a handful of voter data breaches in recent years.