An unsecured database at VoterVoice exposed a trove of personal information, including more than 300,000 unique email addresses, home addresses and phone numbers of people who have sent messages to legislators or participated in campaigns around hot political topics through “the grassroots advocacy system.”   

“In a leak that has an eerie resemblance to the 2016 leak of voter data via Facebook, this incident at VoterVoice has the potential to have far-reaching impacts,” said Warren Poschman, senior solutions architect with comforte AG.

“Organizations that provide platforms for outreach, advocacy, and lobbying hold some of the most sensitive information about the individuals and clients their platforms support,” a TechCrunch report cited security researcher John Wethington, who discovered the unprotected server, as saying. “Exposure of this information allows malicious actors to target individuals easily. One can easily imagine a scenario where an extremist group with access to this type of information could identify individuals based on any of these private attributes.”

After Wethington reported his findings to the organization and Techcrunch published them, VoterVoice released a statement saying the “matter was limited to one organization and 4,392 names, phone numbers, and email addresses of Americans containing the same four-paragraph text sent to lawmakers to lobby for Medicare reform as part of that organization’s education campaign.”

The grassroots group, which claims that more than 21 million users have sent 36 million messages since its inception, said constituents who user VoterVoice “are notified that all communications with lawmakers – whether it is a public petition, direct contact with the official’s website, or a comment made during the federal regulatory rulemaking process – is not private and in the public domain in that it can be also obtained via a FOIA or public information request to Congress.”

But the exposed server, which was still unsecured at press time, housed thousands of folders on each campaign that in addition to unique email addresses and phone numbers, included personal data that could expose political and religious leanings as well as the actual messages sent to legislators, the Techcrunch report said, noting the 4,392 names in the Medicare campaign made up only one file.

The leak is even more troubling because it is unclear how long the information was exposed. “In VoterVoice’s case, the infrastructure was exposed for an unknown amount of time meaning that nefarious individuals could have already accessed sensitive information without anyone knowing,” said Brian Johnson, CEO and co-founder of DivvyCloud. “Being compromised is bad enough, but being compromised and not knowing it is much worse.”

While the information was visible to the public, it could have potentially been accessed by a malicious third party. “The best-case scenario would have been for VoterVoice to proactively find and correct this misconfiguration in the first place,” Rich Campagna, CMO at Bitglass. “However, now that the event has passed, proper steps must be taken to mitigate potential damage and communicate with affected stakeholders in a timely manner.”

But critics said that’s not what the organization has done, pointing to its lackluster response. “VoterVoice was warned by security researchers and journalists that a server was left exposed and unfortunately decided to ignore these warnings, showing a blatant disregard for the privacy of American citizens,” said Ruchika Mishra, director of products and solutions, Balbix.“Failing to take immediate action after a misconfiguration like this is identified heightens the risk of personal information being obtained and misused by malicious actors.’

Providing an outlet for voters to use to reach lawmakers “is great in theory, but only if that communication is kept secure and the public has trust in both the platform and process,” said Mishra. “Organizations that interact closely with elected government officials need to take a much more stringent approach to security.”