Republican database of voter info was exposed on internet

By Brian Fung and Craig Timberg / The Washington Post

A Republican National Committee database of nearly every registered American voter was left vulnerable to theft on a public server for 12 days this month, according to a cybersecurity researcher who found and downloaded the trove of data.

The lapse in security was striking for putting at risk the identities, voting histories and views of voters across the political spectrum, with data drawn from a wide range of sources including social media, public government records and proprietary polling by political groups.

Chris Vickery, a risk analyst at cybersecurity firm UpGuard, said he found a spreadsheet of nearly 200 million Americans on a server run by Amazon’s cloud hosting business that was left without a password or any other protection. Anyone with Internet access who found the server could also have downloaded the entire file.

The server contained data from Deep Root Analytics, a contractor to the Republican National Committee, which used Amazon Web Services for server storage. Vickery said he came up on the server’s address as he scanned the Internet for unsecured databases.

“With this data you can target neighborhoods, individuals, people of all sorts of persuasions,” said Vickery in an interview. “I could give you the home address of every person the RNC believes voted for Trump.”

It is not known whether the information has been accessed by any one but Vickery. But if it was, it would represent perhaps the largest political data mishap in American history. Gizmodo was first to report details of the data vulnerability Monday. The Washington Post has not reviewed the file.

The RNC did not provide immediate comment. In a statement, Deep Root founder Alex Lundry told Gizmodo, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.

In all, the leaked files amount to more than 1,000 gigabytes of data – more than four times the size of any previous breach of this type, according to Vickery. The data fields included views on specific issues including abortion, gun rights and environmental issues, he said.

The detailed file does not stop at Trump supporters, but likely includes Democrats, independents and many voters in between, he said. At a time when even many Americans protect their most basic emails and photos using passwords and two-step authentication, the security missteps by Deep Root Analytics, the contractor behind the breach, represent a form of gross negligence, he added.

The file has been secured now for several days, Vickery said, adding that he informed law enforcement of the vulnerability after discovering it.

“What is alarming about this now is that I believe it’s the first time RNC IDs and model data have been exposed,” said Matt Oszcowski, a veteran GOP political data strategist. “This is not just a list of people; this is unique proprietary information which gives away [Republican] strategy and informs on targeting and methodology.”

Privacy experts expressed alarm over the breach, which they said shows how deeply personal data has become integrated into the modern political campaign.

“They’re using this information to create political dossiers on individuals that are now available for anyone,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These political data firms might as well be working for the Russians.”

Deep Root Analytics’ unprotected server appeared to have exposed data housed by the Data Trust, the private data company hired by the Republican National Committee to update its voter file — part of a costly effort to improve the party’s data collection and analysis in the wake of the 2012 election.

The RNC poured more than $20 million into data services in the 2016 cycle, according to Federal Election Commission records. Of that, $6.2 million went to Data Trust, which has an exclusive list-sharing agreement with the national party. That allows the company to swap RNC voter data with independent big-money groups such as American Crossroads and American Action Network, helping enrich the party’s master voter file.

Among the outside entities that participated in data swaps with Data Trust last cycle was i360, a rival operation financed by Freedom Partners, a nonprofit backed by the wealthy Koch brothers and other conservative donors. The private firm — which has its own individual-level database of 194 million voters culled from registration files, consumer data and social media profiles – provides data and technology to groups in the Koch network, as well as GOP campaigns and vendors.

The Koch data operation, which is widely regarded by Republican strategists, had more than 200 GOP campaigns and state parties as clients in 2016, The Post reported last year.

For its part, Deep Root Analytics worked for at least 14 GOP political committees in the 2016 cycle, FEC records show. Among its clients: House Speaker Paul Ryan’s campaign committee and his allied House super PAC; the Senate Leadership Fund, a super PAC aligned with American Crossroads and Senate Majority Leader Mitch McConnell; and former Florida governor Jeb Bush’s presidential campaign and allied super PAC.

There are no reported payments from the RNC to Deep Root. However, the party spent $983,000 on “polling services/consulting” with a company called Needle Drop, which is a subsidiary of Deep Root, according to AdAge.

“There is much more of a life cycle here at the RNC now that revolves around data,” then-RNC chief of staff Katie Walsh told The Post in July 2015. “Everything we do here comes back to, ‘How does that improve the voter file?’”

The Washington Post’s Matea Gold contributed reporting.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Olivia Vanni / The Herald The Mukilteo Lighthouse. Built in 1906, it’s one of the most iconic landmarks in Snohomish County. The Mukilteo Lighthouse. Built in 1906, it’s one of the most iconic landmarks in Snohomish County. (Olivia Vanni / The Herald)
Mukilteo mayor vetoes council-approved sales tax

The tax would have helped pay for transportation infrastructure, but was also set to give Mukilteo the highest sales tax rate in the state.

Marysville Mayor Jon Nehring gives the state of the city address at the Marysville Civic Center on Wednesday, Jan. 31, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Marysville council approves interim middle housing law

The council passed the regulations to prevent a state model code from taking effect by default. It expects to approve final rules by October.

x
State audit takes issue with Edmonds COVID grant monitoring

The audit report covered 2023 and is the third since 2020 that found similar issues with COVID-19 recovery grant documentation.

Bothell
Bothell man pleads guilty to sexual abuse of Marysville middle schoolers

The man allegedly sexually assaulted three students in exchange for vapes and edibles in 2022. His sentencing is set for Aug. 29.

Larsen talks proposed Medicaid cuts during Compass Health stop in Everett

Compass Health plans to open its new behavioral health center in August. Nearly all of the nonprofit’s patients rely on Medicaid.

A wall diagram shows the “journey of the ballot” at the new Elections Center on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
County Auditor: No need for feds to meddle with state or local elections

Garth Fell’s comments were in response to a report of Justice Department mulling criminal charges against election officials.

Edmonds Police Chief Loi Dawkins speaks after the city council approved her appointment on Tuesday, July 8, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
Edmonds City Council confirms new police chief

Assistant Chief Loi Dawkins will begin in the role Aug. 1. She has more than 23 years of law enforcement experience, including three years in Edmonds.

Community members gather for the dedication of the Oso Landslide Memorial following the ten-year remembrance of the slide on Friday, March 22, 2024, at the Oso Landslide Memorial in Oso, Washington. (Ryan Berry / The Herald)
The Daily Herald garners 6 awards from regional journalism competition

The awards recognize the best in journalism from media outlets across Alaska, Idaho, Montana, Oregon and Washington.

The Edmonds City Council discuss the levy during a city council meeting on Tuesday, July 8, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
Edmonds votes to place levy lid lift on the ballot

By a vote of 5-2, the council decided to put the $14.5 million property tax levy lid lift to voters in November.

A trash hauler from Republic Services. (Provided photo)
Growing Teamsters strike disrupts garbage pickup in Snohomish County

Republic Services said a temporary work stoppage is causing some customers in the county to experience “temporary service delays.”

Lily Lamoureux stacks Weebly Funko toys in preparation for Funko Friday at Funko Field in Everett on July 12, 2019. Kevin Clark / The Herald)
Everett-based Funko ousts its CEO after 14 months

The company, known for its toy figures based on pop culture, named Michael Lunsford as its interim CEO.

‘Courageous’ teen dives into Silver Lake to rescue 11-year-old

Gauge Bryant, 13, brought the child to the surface. The 11-year-old is in stable but critical condition, authorities said.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.