Robocaller's Misconfigured AWS Cloud Storage Leaks U.S. Voter Data

Nobody likes robocalls. People now have reason to like them even less, because Kromtech Security head of communications Bob Diachenko revealed that a firm called Robocent accidentally compromised U.S. voter data through a misconfigured Amazon Web Services (AWS) S3 bucket. Robocent didn't gather the data on its own -- it bought it from data brokers like NationBuilder--but this blunder still exposed this ostensibly private information.

This misconfigured form of cloud storage exposed "hundreds of thousands" of voter records, Diachenko said. It also contained other files, including audio used during robocalls. (Not that anyone outside the robocalling industry wants to listen to those messages out of turn.) Diachenko examined the voter records to figure out what information was revealed by Robocent and came up with the following list of data types:

  • Full Name, suffix, prefix
  • Phone numbers (cell and landlines)
  • Address with house, street, city, state, zip and precinct
  • Political affiliation provided by state, or inferred based on voting trends/history
  • Age and birth year
  • Gender
  • Jurisdiction breakdown based on district, zip code, precinct, county and state
  • Demographics based on ethnicity, language, education

This information was just waiting to be collected from Robocent's storage. There's a greater-than-zero chance it was already compromised, too, because Diachenko said the bucket was indexed by a service called GrayHat Warfare that keeps a list of unprotected S3 buckets. It's almost like Robocent left the door unlocked, someone went around jiggling doorknobs and then let the rest of the world know they could walk right through.

It gets even more disheartening. Diachenko said that when he contacted Robocent, he received a response saying that "We're a small shop (I'm the only developer), so keeping track of everything can be tough." Odds are good that many other companies dealing with private information, whether it's about U.S. voters or not, have a similarly overworked developer managing their infrastructure. Mistakes will be made.

There is good news: Robocent immediately secured the S3 bucket after Diachenko made contact. The company also told ZDNet that the information on this bucket was from 2013-2016. That doesn't mean the data's useless, especially when it relates to people who've lived in the same place and had the same phone number for years, but it does mean it's slightly outdated. You have to find comfort in the little things, right?

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • dhayric
    But it's impossible for illegals to vote right?
  • sykozis
    21156663 said:
    But it's impossible for illegals to vote right?

    Nothing is impossible. However, having access to such information about voters makes it much easier to carry out disinformation campaigns. Also leaves anyone considering identity theft, only having to collect 1 piece of information....
  • TJ Hooker
    @dayhric maybe I'm missing something, what does that have to do with the article?
  • stdragon
    I'm not typically for more laws, but having a MACHINE spamming my cell number is an irritation ad infinitum unto itself!

    I don't want robocalls, and I certainly don't want solicitations. If you're going to call me, 1. it better be a human at the other end. 2. it better be based on a topic that serves my interests and/or it's from someone that I ether know or associate with.
  • irfbhatt
    You have to find comfort in the little things) Who can know this)
  • derekullo
    I wonder how many "imaginative" answers they have from all the people being called at 3 in the morning.
  • nobspls
    Sounds like Russian operative Diachenko is up to no good again!