A database containing the voting records of 191 million registered U.S. voters has been leaked online, according to a cybersecurity researcher who said he accessed the records.
Nonpartisan tech and data provider NationBuilder has been linked with some of the information contained in that database.
In a statement Monday, Gilliam said the database didn’t actually belong to NationBuilder. “It is possible that some of the information it contains may have come from data we make available for free to campaigns,” he added. “From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database.”
Steve Ragan, a writer for CSOonline.com, a publication that focuses on security and risk management and first revealed the exposure of the database, painted this breach as worse than the one that just embroiled several members of Democratic presidential candidate Bernie Sanders’ team. Ragan, along with researcher Chris Vickery, have spent several days trying to track down the source of the leak.
“The problem is, no one seems to care that this database is out there and no one wants to claim ownership,” Ragan wrote.
Given the NationBuilder link, many in the political tech world gleefully pointed out Monday that during a PR blitz earlier this month, NationBuilder’s CEO Jim Gilliam stated that his company could never be responsible for the kind of data breach suffered by partisan rival NGP VAN.
Gilliam pushed the hashtag #VANghazi on Twitter and retweeted a plethora of news coverage of NGP VAN's breach.
“We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free,” part of NationBuilder’s Monday statement read. “We do not provide access to anyone for non-political purposes or that would violate any state’s laws. Each state has different restrictions, and we make sure that each campaign understands those restrictions before providing them with any data. It is vital that everyone running for office knows who is registered to vote in their district.”
NGP VAN hasn’t issued a formal statement, but some campaign veterans are taking issue with Gilliam’s rebuttal. Will Cubbison, a former North Carolina campaign staffer turned Ph.D. student, wrote on Twitter: "NationBuilder accused of a pretty large data breach so CEO now claiming as defense that all the info is public. 2 problems with that. If the data is public and free then NationBuilder has no purpose. Except it isn't free or easily accessible across all states.”
Meanwhile, other political data vendors were contacted by Ragan and Vickery as they investigated the data exposure. But L2 CEO Bruce Willsie, who was contacted, said there’s little data vendors can do, whether they’re partisan or non-partisan, to stop a client from putting voter data online.
“They could do that with our data, they could do that with anyone’s data,” Willsie told C&E. “Once they’ve physically downloaded the data from our websites, what they do with it from that point is entirely in their control.”
Data vendors have agreements with clients that stipulate their data will only be used for political or lawful purposes. But beyond suing a former client, there’s no way to physically stop them from making it publicly available, according to Willsie.
That will likely raise concerns among candidates and consultants, and could add to the tense climate surrounding data security.
Outside of the political industry, high-profile data breaches have occurred at organizations ranging from Target to the U.S. government. Data exposure is becoming synonymous with identity theft, regardless of what information is made public. So even if NationBuilder has zero responsibility in this case, its PR efforts will likely need to shift away from aggressively undercutting a competitor to doing its own damage control.