The UpGuard Cyber Risk team can now disclose that call lists containing full names and phone numbers for over 527,000 individuals were publicly exposed in a misconfigured Amazon S3 bucket belonging to the Tea Party Patriots Citizens Fund (TPPCF), a Republican super PAC involved in campaigns including the 2016 presidential election, the Stand for the Second student walkout, and endorsing congressional candidates like Alabama’s Roy Moore and New Jersey’s Jay Webber.
Also included in the exposed data were strategy documents, call scripts, marketing assets, and other files revealing a focused effort to politically mobilize US voters, an effort that ultimately succeeded in helping Donald Trump win the presidency of the United States. Cutting edge political data analysis was used in the 2016 presidential election to direct traditional grassroots campaigning efforts at large scales in the most effective manner. The intersection of politics and information technology has created a new democratic paradigm, in which heavily funded electioneering organizations can use data-based microtargeting to influence individual voters with increasing precision.
On August 28, 2018 a publicly readable Amazon S3 storage bucket named “tppcf” was discovered by the UpGuard Cyber Risk team. After downloading the exposed contents, at a total size of just over 2 gigabytes, analysis revealed that this information belonged to the Tea Party Patriots Citizens Fund (TPPCF), a conservative super PAC made possible by the 2010 Citizens United decision. A super PAC is “a type of independent political action committee which may raise unlimited sums of money from corporations, unions, and individuals but is not permitted to contribute to or coordinate directly with parties or candidates.”
According to their website, TPPCF “...provide[s] a grassroots platform for your voice to be heard, and ultimately for you to pursue the American dream.” The data was primarily comprised of PDF documents and image files, with other scattered document types throughout. The majority of the files were dated around the 2016 United States presidential election, while the rest dealt with campaigns to support candidates in other elections.
On October 1st, 2018, TPPCF was notified by UpGuard of the exposure via email. A help desk coordinator replied within hours and the bucket’s permissions were changed to only allow global authenticated users. This setting is still essentially public as anyone can have an Amazon account, and thereby authenticate as an Amazon user, for free. By Friday, October 5th, all access to the bucket had been removed.
Misconfigured cloud storage like Amazon S3 is responsible for some of the largest data exposures in recent memory. These assets are private by default, meaning the permission set must be actively altered to allow public access. However, the fact that these assets can be misconfigured inevitably means that some of them will be misconfigured. Only controlled processes that account for the risk of exposure can prevent such misconfigurations from occuring. Our full post on Amazon S3 bucket security can be found here.
The 2GB of exposed data can be broken down roughly into three categories:
Call Data - PDF files containing the names and numbers of nearly 527,000 individuals.
Strategy Documents - PDF files containing instructions, scripts, guidelines and other administrative details on messaging, focus, and direction.
Marketing Assets - Images and PDF documents intended for end-user distribution with messaging, campaign strategies, TPPCF activity and efforts, and other assets intended to influence potential voters.
Screenshot of some of the Call List files exposed in the TPPCF S3 bucket.
Most significant, contact details for 527,000 individuals across the country were exposed in several phone banking PDF files, listing the person’s first and last name, phone number, state of residence, and “VoterID.” These records detail exactly who was targeted for phone call reach out by TPPCF campaigns, especially the 2016 “March to Victory” presidential effort.
Redacted screenshot of aTPPCF March to Victory Call List
UpGuard’s analysis of the TPPCF call data shows that the distribution by state of people roughly follows some of the strategy laid out in the TPPCF documents, in that the overwhelming majority of people listed were from Pennsylvania (243,139 individuals) and Florida (212,355 individuals,) key states for a Trump victory. The other people targeted were from Texas (54,329 individuals,) Montana (14,680 individuals,) and New Jersey (2,903 individuals). Under 100 additional individuals were present for other states.
Redacted screenshot of a TPPCF Support Jay Webber Call List
Documents in this category include “toolkits,” phone scripts, fully written templates for letters to news editors and governmental representatives, written copy for social media distribution such as on Twitter and Facebook, slogans and quotes for physical signs, and other methods by which exact TPPCF messaging could be widely disseminated. Visual diagrams explaining conversation workflows and other dialogue trees minimize the training and skills necessary for a person to perform the labor of electioneering.
Screenshot of TPPCF March to Victory Phone Banking Script
Documents containing sample letters with instructions were found, many pushing conservative agendas on common issues like tax reform. Documents were targeted to specific audiences, with some intended for regular people, and others aimed at “business owners” and students.
Screenshot of a TPPCF Letter to the Editor Script
Screenshot of TPPCF “Talking Points for Business Owners”
Campaigns included the “Stand for the Second” initiative, a conservative response to gun control efforts in the wake of multiple school shootings.
Screenshot of TPPCF Sample Letter to support the “Stand for the Second” initiative.
Screenshot of TPPCF suggested tweets for their “Stand for the Second” initiative.
Screenshot of TPPCF suggested sign messages for their “Stand for the Second” initiative.
One of the largest documents in the data set is the publicly available “VictoryReport” that details the efforts of TPPCF during the 2016 presidential election. This document summarizes and quantifies outreach efforts, messaging strategies, and campaign focus on crucial states necessary to win the electoral vote.
TPPCF initially supported Ted Cruz during the Republican primary race, but shifted its focus to Trump in the general so they “could effectively stop Hillary Clinton from becoming president,” according to the Victory Report.
Screenshot of the cover of the TPPCF Victory Report
The document also includes specific tactics designed to win people over to Trump during the general election.
Among the marketing assets included in the exposure are banners for individuals supported by TPPCF, pictures and videos intended for email messaging, and various web assets for TPPCF sites.Among the TPPCF supported candidates are Louisiana's Roy Moore, who lost his election amidst a sexual abuse scandal. Banners also exist to promote Dinesh D’Souza’s anti-Hillary movie. D’Souza is a conservative activist who was pardoned earlier this year by President Trump for a felony campaign finance violation to which D’Souza pleaded guilty in 2014.
The 2016 election revealed that a major shift had already taken place in the political campaigning landscape-- one centered around data. There were earlier indications, including the Brexit referendum in the UK, that traditional methods were giving way to high powered political data analysis by companies specializing in such processes. In fact, the company likely responsible for TPPCF’s voter intelligence, L2 Political, cut their teeth on Barack Obama’s 2012 re-election campaign-- proving that this particular kind of data-driven electioneering was already being utilized by the major parties, and that such information gathering and processing is party agnostic-- the same tactics can be used to push any political message.
Screenshot from the TPPCF Victory Report
As described in their own material, TPPCF’s pavement pounding efforts-- guided by high tech political data analyses-- helped to influence the outcome of the 2016 presidential election. Information technology has not only changed the way in which democratic processes take place-- from voting machines, to microtargeting, to predictive models-- but it has changed the way democracy itself functions, allowing highly focused, heavily funded super PACs to coordinate “grassroots” campaigns with finely tuned messaging at scale.
The ongoing saga of Russian interference in the 2016 presidential election, including the successful phishing attack on Hillary consultant John Podesta which leaked the DNC’s internal emails and strategy, is just one of the ways in which the modern technological landscape has introduced new risks to the political sphere during its increasing digitization. Social media played a larger role than ever in disseminating messaging for both parties, and allowing like-minded people to build and participate in politically active microcommunities, while at the same time opening new and more focused advertising avenues for professional electioneers.
As valuable as this data might be to political parties and the companies who profit from its sale, like any modern dataset, it is also subject to the inherent risks of the infrastructure on which it lives. In this case, an Amazon S3 storage bucket was misconfigured to allow any anonymous user not only the ability to read files, but to modify or delete them as well, an especially dangerous scenario. The presence of the names and phone numbers of nearly 527,000 Americans makes this more than an exposure of organizational data, but a breach of privacy for people singled out by political analysis systems as high value targets for TPPCF’s efforts. Cloud resources offer versatility and connectivity, but must be carefully managed to prevent sensitive information from being exposed to the internet at large. As political data becomes ever more integral to the political process, the integrity of that data must be protected with the same urgency with which it is acquired and used.