The information was being stored on an Amazon cloud server with no security to speak of — not even a password. Anyone with the URL could access the information.
Nearly every registered voter in the United States (198 million of an estimated 200 million people) had some of their data leaked. Information includes birthdates, home addresses, and phone numbers, as well as predicted information assembled by analysis groups to determine things like ethnicity, religion and stances on hot-button issues such as gun ownership and abortion.
The data was discovered by Chris Vickery with UpGuard, a cyber risk analysis firm. While none of the data was classified or illegally obtained, experts have expressed privacy concerns over what such a leak entails.
"[The data] is valuable for people who have nefarious purposes," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology.
The information was collected by Deep Root Analytics, which aggregates information from everything from subreddits to super PACs. They were paid just under $1 million to act as one of the three data analytics firms for RNC campaigns in 2016, with millions more coming from other conservative groups such as GOP Data Trust, which creates profiles on Republican primary voters.
Deep Root founder Alex Lundry issued a statement taking responsibility for the leak. "Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access," he said, adding that the data, which was exposed for 12 days, was not accessed by "malicious third parties" to the best of his knowledge.
"Based on the information we have gathered thus far, we do not believe that our systems have been hacked," Lundry said. An investigation into the nature of the leak is ongoing.
Other major contributors include Americans for Prosperity, the Koch brothers-owned political group that lobbies, marshals and organizes for conservative causes, and TargetPoint, a market research firm founded by members of Mitt Romney's 2012 presidential campaign team. The TargetPoint data assessed the stances of voters on countless issues, from Trump to taxes to the environment to pharmaceutical companies.
"Data like that would be a combination of polling data, real world data from door-knocking and phone-calling and other canvassing activities, coupled with modeling using the data we already have to extrapolate what the voters we don't know about would think," said an anonymous Democratic strategist to Gizmodo. "The campaigns that do it right combine all the available data together to make the most robust model for every single voter in the target universe."
More information still came from The Kantar Group, an international media and market research firm with hundreds of offices on six continents. The files offered feedback on the cost, reach, and effectiveness of numerous political ads, as well as files on every single 2016 presidential campaign. Organizations like the American Civil Liberties Union, the Democratic Senatorial Campaign Committee and Planned Parenthood were also profiled. American Crossroads, a Super PAC co-founded by Karl Rove (the architect of both of George W. Bush's presidential campaign victories,) contributed strategic voter data in key battleground states during the 2016 election.
In short, a terabyte of the data and analysis that brought Donald Trump his come-from-behind victory in the 2016 presidential election, the result of surprising and slim victories in numerous swing states, was leaked online for all to see.
Lundry described the data as "proprietary analysis to help inform local television ad buying," not for sale. The contributing organizations suggest that the data was mostly used to inform the advertising of Republican political campaigns in 2016.
Vickery has repeatedly discovered similar leaks in recent months. In May, he found a US defense contractor that had published hundreds of thousands of files — some of them classified — on a similarly unsecured Amazon server.