Voter Data Found Exposed on Misconfigured AWS Server

Politics. Always something interesting to discuss and of course one of the forbidden holiday dinner topics. Even something non-partisan such as the recent incident with the robocall firm RoboCent will likely spark heated conversation. However, the fact is details of hundreds of thousands of U.S. voters were found for sale online for a measly 3 cents per record. Don’t hackers know a vote is worth far more than that?

Seriously though, a researcher found the records while querying for the term “voters” using a tool that allows the searching of publicly exposed Amazon Web Services (AWS) storage buckets.

The bucket used by RoboCent contained voter data including names, phone numbers, addresses, precincts, political affiliations that were inferred by voting trends, age, gender, jurisdiction broken out by district, zip, precinct, county, and state, as well as ethnicity, language, and education demographics. There were even audio files of pre-recorded political messages used for the robo-calling service. That’s a pretty thorough list of data…and it’s pretty cheap in the grand scheme of things. After all, a single healthcare record can cost more than $300. It really does make you go, “Hmmmmm.”

So what does this mean to us, the poor schlubs that have no power over how our information keeps spilling into the wild? It means little until the information is weaponized. Data is just data until it is used to extract data from us. Cybercriminals are getting very good at producing targeted emails with our breached information; the more believable, the higher the click rate. Generally, when folks see a bunch of accurate information about their lives, they believe the email is credible.

Believable emails, text messages, and social media posts are the norm these days and they all pack a punch. Ransomware, banking malware, data/credential stealing trojans and cyberextortion are continually circulating our cyber-lives waiting for us to click. We can all avoid a ton of headaches if we just didn't click on any unexpected link or attachment. Even if the sender is known, was the link or attachment expected? If no, verify it with the sender on a separate email or phone call.

The researcher who found the exposed data did alert RoboCent about the exposure, before alerting the media and it was quickly secured. But obviously not before at least some damage was done.

Unsecured AWS servers are not uncommon. But that doesn’t mean the companies using them are excused for not securing them and protecting the data contained within them. If you use AWS or any services like it, make sure the data you store on them is not left open for researchers, or worse to find. You have every right and even responsibility to secure them and even do your own querying for data exposure. There are tools out there that allow you to check up on this, such as the one this researcher used. In the past, many MongoDB servers were found exposed using similar tools. If the “good” guys are using these tools, you can bet the “bad” guys are too.