Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Firm Contracted By Republican Groups Left Millions Of Voter Files Unsecured Online

A database with the information of nearly 200 million people was discovered by a cyber-risk analyst. The voter information had been compiled by a marketing firm contracted by Republican groups.
Zach Gibson
Getty Images
A database with the information of nearly 200 million people was discovered by a cyber-risk analyst. The voter information had been compiled by a marketing firm contracted by Republican groups.

Updated at 11:30 a.m. ET

So it seems that it's not only Democrats who have trouble keeping their digital information secure online. An extensive database of information about 198 million Americans collected by a contractor hired by Republican groups was obtained by a security researcher, who found it on an Amazon server, with not even a single password protecting it.

The data included home addresses, birth dates and phone numbers of voters from both parties. It was discovered by Chris Vickery, a cyber-risk analyst with the firm UpGuard.

The data was compiled by Deep Root Analytics, which advises campaigns on political TV advertising and was contracted by the Republican National Committee, and other GOP groups. In a statement to NPR, Deep Root said since being made aware of the data breach, it has updated the access settings and put protocols in place to prevent further access. The company said it had last evaluated and updated its security settings on June 1, suggesting that access settings were changed later. "We accept full responsibility, will continue with our investigation, and based on the information we have gathered thus far, we do not believe that our systems have been hacked," the company said in a statement, adding that Vickery was "the only entity that we are aware of that had access to the data."

The unprotected data included information on voters' positions on issues from gun ownership to abortion as well as religious affiliation and ethnicity. It was amassed from public sources as well as less public ones, which Gizmodo reported ranged from "the banned subreddit r/fatpeoplehate to American Crossroads, the super PAC co-founded by former White House strategist Karl Rove."

Cybersecurity played a big role in the 2016 presidential campaign — with Republicans mostly pointing fingers at Democrats. The hacking of emails from the DNC and Clinton campaign manager John Podesta became a major pre-election controversy. Intelligence officials blamed the hacking on Russia, and it indirectly set in motion the current investigation of Russian meddling into the 2016 election and possible Trump campaign officials' ties to Russia.

Then-candidate Trump made an issue of the DNCs hacks, tweeting, "Gross negligence by the Democratic National Committee allowed hacking to take place. The Republican national committee had strong defense!"

Well, maybe not as strong as Trump thought.

In January, then-FBI Director James Comey testified there had been "penetration on the Republican side of the aisle and old Republican National Committee domains," but he said none of those emails had been released. He said then there was no evidence that the current RNC or the Trump campaign had been hacked.

It may just prove that in the digital age there are two types of people, those who have had their data hacked, and those who haven't had their data hacked — yet.

Copyright 2020 NPR. To see more, visit

Corrected: June 19, 2017 at 10:00 PM MDT
We have updated this story to make clear that the exposed data belonged to the company Deep Root, not the Republican National Committee, and that Deep Root had been contracted not just by the RNC, but also by other Republican groups.
NPR News' Brian Naylor is a correspondent on the Washington Desk. In this role, he covers politics and federal agencies.
KUER is listener-supported public radio. Support this work by making a donation today.