Voters' data was left exposed online because of course it was

Sure, our ballot may be secret. But our voter data? Yeah, not so much.

Our most recent reminder of this disconcerting truth: Bob Diachenko, a self-described cybersecurity enthusiast who works for an IT development firm, discovered an online database containing information on thousands of US voters. The apparently misconfigured database, which belonged to a Virginia-based robocalling firm, reportedly included voters' names, addresses, phone numbers, and political affiliation, along with other personal information.

And it was all there for the taking.

Diachenko describes the unprotected dataset as containing "Hundreds of thousands [of] US voter data," but clarifies in the same blog post that there were 2,594 "listed files." Because a single file could conceivably contain thousands of individuals' data, the exact number of people whose data was exposed isn't immediately clear.

But RoboCent, the robocalling firm behind the exposed database, attempted to minimize the implications of Diachenko's findings. Though firm cofounder Travis Trawick confirmed RoboCent's involvement in a statement to ZDNet, he maintained that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years."

Trawick's firm offers customers access to "thousands of voters, instantly" — but that's not all RoboCent provides.

"Clients can now purchase voter data directly from their robocall provider," the company explains on its website. "We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order."

You can see how such a service might be useful to a bad actor trying to, I don't know, influence an election.

And the cost? Why that would be just $.03 per record. Or, if you knew where to look online, free. According to Diachenko, the dataset was left in a misconfigured and self-titled AWS S3 bucket.

We reached out to RoboCent in an attempt to confirm Diachenko's claims, as well as to determine how long the data had been left exposed, how many people were potentially impacted, and whether the company was aware of any specific incidents of inappropriate access. We received no response as of press time. We also reached out to Diachenko with the hope of getting to the bottom of this, but did not hear back from him as of press time, either.

Whether it be 2,600 people or several hundred thousand people, it's not a good look for RoboCent to be allegedly exposing voter data to the public. Unfortunately, this kind of security lapse is something we're all going to only have to get used to going forward (if you haven't already).

Because even if companies like RoboCent aren't paying attention to their digital security, you can bet others are.