The 198 million US voters whose personal data was left on an unsecured server for anyone to access should request an immediate credit freeze to avoid having their identities stolen as a result of the breach, security experts have said.
“The members of the electorate involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts,” advised Robert Capps, VP of business development at NuData Security.
The data, which includes personal data and information on who each person is set to vote for and why, is thought to be the largest ever exposure of voter data, covering the vast majority of the 200 million people registered to vote in the US.
It was left on an open Amazon S3 storage server by Deep Root Analytics, a Republican data analytics company, and was discovered by Chris Vickery, a cyber risk analyst from UpGuard.
At present there does not appear to be a way in which individuals can check if they were affected, but anyone registered to vote in the US is likely to be at risk.
While the focus of the data was voting behaviour, containing information on the subject that goes back over a decade, voters should be more concerned about how their data could be used for more malicious purposes.
“This is a serious data leak, which allows nation states to target ordinary US citizens for additional attacks and surveillance, as well as detailed voting information,” said Capps.
“If this wasn’t bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals.
“Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit, and much more.”
While the risk to those affected is similar to previous leaks, this is not a leak or hack in the classic sense, but instead a matter of poor security practices.
“It sounds to me that this is another case of incorrectly secured cloud based systems,” explained Terry Ray, chief product strategist at Imperva.
“Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.“