Nobody likes robocalls. People now have reason to like them even less, because Kromtech Security head of communications Bob Diachenko revealed (opens in new tab) that a firm called Robocent accidentally compromised U.S. voter data through a misconfigured Amazon Web Services (AWS) S3 bucket. Robocent didn't gather the data on its own -- it bought it from data brokers like NationBuilder--but this blunder still exposed this ostensibly private information.
This misconfigured form of cloud storage exposed "hundreds of thousands" of voter records, Diachenko said. It also contained other files, including audio used during robocalls. (Not that anyone outside the robocalling industry wants to listen to those messages out of turn.) Diachenko examined the voter records to figure out what information was revealed by Robocent and came up with the following list of data types:
- Full Name, suffix, prefix
- Phone numbers (cell and landlines)
- Address with house, street, city, state, zip and precinct
- Political affiliation provided by state, or inferred based on voting trends/history
- Age and birth year
- Jurisdiction breakdown based on district, zip code, precinct, county and state
- Demographics based on ethnicity, language, education
This information was just waiting to be collected from Robocent's storage. There's a greater-than-zero chance it was already compromised, too, because Diachenko said the bucket was indexed by a service called GrayHat Warfare that keeps a list of unprotected S3 buckets. It's almost like Robocent left the door unlocked, someone went around jiggling doorknobs and then let the rest of the world know they could walk right through.
It gets even more disheartening. Diachenko said that when he contacted Robocent, he received a response saying that "We're a small shop (I'm the only developer), so keeping track of everything can be tough." Odds are good that many other companies dealing with private information, whether it's about U.S. voters or not, have a similarly overworked developer managing their infrastructure. Mistakes will be made.
There is good news: Robocent immediately secured the S3 bucket after Diachenko made contact. The company also told ZDNet that the information on this bucket was from 2013-2016. That doesn't mean the data's useless, especially when it relates to people who've lived in the same place and had the same phone number for years, but it does mean it's slightly outdated. You have to find comfort in the little things, right?