It’s difficult to characterize the data breach of a consulting firm that worked for the Republican National Committee. Deep Root Analytics of Arlington, Va., was paid approximately $1 million by the RNC to amass a storehouse of information on nearly every voter in the United States.
As one might expect, the data files included the name, address and age of those voters—information a researcher would find out from voter registration data. However, in addition, the files reportedly contained information about political leanings, purported stands on certain issues and even limited social media postings. Fortunately, no Social Security or credit card numbers were included.
But perhaps what’s most surprising about the revelations regarding the Deep Root breach is the group’s astonishing demonstrated level of ineptitude. The data was exposed following a software upgrade, when the company forgot to turn on the password protection again.
Yes, that’s right. Deep Root protected a data store with highly proprietary data belonging to the RNC using simply a password. That was it. There was no attempt to logically separate the names of the voters from their information—something that could be done easily because each item had a unique RNC ID number. It also showed that the RNC was getting ripped off.
Little Sophistication Exhibited in Selecting Data for Storage
Deep Root showed little sophistication in choosing the data it used to identify potential leanings or political opinions, basing its social media analysis only on Reddit posts. Other data appears to have come from other research firms that collected it, but there appears to have been no effort to ensure accuracy.
And of course, there’s the security—or, rather, the total lack of security. As a contractor, Deep Root had an obligation to protect the RNC’s intellectual property, as well as the intellectual property of the other research firms from which Deep Root gathered data. Apparently, those obligations were ignored.
In fact, when cyber-risk analyst Chris Vickery, who works for Silicon Valley security startup UpGuard, was doing a routine survey of unprotected data, he found more than a terabyte of voter files lying unprotected. In addition to the basic voter information, the Deep Root data contained modeled voter ethnicities and religions.
Naturally, this was alarming to some highly regarded data analysis firms that also worked for the RNC. TargetPoint, for example, had compiled a database of policy preferences and political actions that UpGuard described as highly accurate. The Deep Root breach exposed all TargetPoint’s efforts.
Other Data Analytics Companies Exposed
Likewise, Data Trust, a Washington firm created by the RNC for data analysis, was exposed by Deep Root. The breach also laid bare the RNC’s entire data file, which it had spent years and millions of dollars developing. This massive data file, combined with the data from Target Point, was intended to be used in micro-targeting, which allows the GOP to zero in on individual voters or small groups with information they knew would resonate.
So, what we have with the Deep Root breach is the public release of data that is essentially the heart of the GOP campaign data-analysis effort. While the usefulness of Reddit posts is up for debate, the fact is that the revelations have a vast and negative impact on the future operations of the Republican Party as it enters a critical election year.
It’s negative because the GOP has no way to know who else has this data. The Russians could easily have downloaded it, as could the Democrats. If that’s the case, the other parties would know everything the Republicans know about every voter in the United States. At the very least, the GOP data-analysis effort will be operating with an overtone of doubt.
Unfortunately, there’s not much the government can do to penalize Deep Root. This is one area where the laws have failed to keep pace with technology. Even the Federal Trade Commission can’t do much, because it’s impossible to say that Deep Root managed to hurt the public, since much of the factual information is available from public records.
Civil Action Is a Possibility
But there are things that can be done. The RNC, Data Trust and TargetPoint all can take civil action against Deep Root for failing to protect their intellectual property. And if the RNC doesn’t already have some sort of contractual data protection requirement, then it certainly will have one starting now. No doubt, the other contractors already have non-disclosure requirements to protect their data, which Deep Root has clearly violated.
This incident also creates an awareness that security must be a requirement that’s enforced by stringent provisions of any contract to manage data. Deep Root’s astonishing level of ineptitude points out the fact that you can’t just assume that your contractors will do the right thing.
While there are things that could have been done, such as masking the personal information so the data was accurate but the names were not, might have worked. Delphix strategic adviser Adam Bowen suggested that for most uses, the real names of voters didn’t need to be paired with the data. He noted that part of the problem stems from a lack of understanding of the value of data.
“Until we start treating data the same way we do intellectual property, we’re going to continue to see this, where people see data as a disposable commodity,” Bowen told eWEEK.
On a larger basis, this breach underscores the need for legislation covering data protection. The fact that it is the Republican Party suffering might encourage some GOP legislators to support such a bill.
After all, why complain about the Russians when the GOP can’t even secure its own data?