RoboCent, a Virginia Beach-based political robocall firm, has exposed the personal details of hundreds of thousands of US voters, according to the findings of a security researcher who stumbled upon the company’s database online.
The researcher, Bob Diachenko of Kromtech Security, says he discovered the data using a recently launched online service called GrayhatWarfare that allows users to search publicly exposed Amazon Web Services data storage buckets. Such buckets should never be left exposed to public access, as they could hold sensitive data.
Diachenko found RoboCent’s exposed AWS bucket by searching for the term “voters.” He searched for this particular term because last year, he also found a gigantic MongoDB database exposing the voter records of over 19 million Californians.
Personal details and political affiliations exposed
The server that drew Diachenko’s attention, this time, contained 2,584 files, which the researcher later connected to RoboCent.
The type of user data exposed via Robocent’s bucket included:
⬖ Full Name, suffix, prefix
⬖ Phone numbers (cell and landlines)
⬖ Address with house, street, city, state, zip, precinct
⬖ Political affiliation provided by state, or inferred based on voting history
⬖ Age and birth year
⬖ Jurisdiction breakdown based on district, zip code, precinct, county, state
⬖ Demographics based on ethnicity, language, education
Other data found on the servers, but not necessarily personal data, included audio files with prerecorded political messages used for robocalls.
According to RoboCent’s website, the company was not only providing robo-calling services for political surveys and inquiries but was also selling this data in raw format.
“Clients can now purchase voter data directly from their RoboCall provider,” the company’s website reads. “We provide voter files for every need, whether it be for a new RoboCall or simply to update records for door knocking.”
The company sells voter records for a price of 3¢/record. Leaving the core of its business available online on an AWS bucket without authentication is… self-defeating.
RoboCent: We’re a small shop
Diachenko says he notified the company about their exposed database, and they secured it shortly after his report.
“We’re a small shop (I’m the only developer) so keeping track of everything can be tough,” a RoboCent employee told Diachenko.
Leaks of US voter records have become common these days. Back in June 2017, security firm UpGuard found an Amazon S3 bucket containing the details of over 198 million US voters.
Back in November 2017, Amazon rolled out changes to the AWS admin dashboards to warn customers when they’re exposing S3 buckets.