Lawsuit targets firm that failed to secure 198 million Americans' data

Lawsuit targets firm that failed to secure 198 million Americans' data
© Getty Images

Two Floridians filed a lawsuit last week against Deep Root Analytics, the campaign consultancy that accidentally left information on 198 million Americans accessible online without protecting it with a password.  

"If companies don't do the bare minimum to protect records, we're in trouble," said Jason Zimmerman, a member of the legal team representing plaintiffs James and Linda McAleer in what they want to turn into a class action suit. 

Deep Root specializes in using data analytics to determine how to target specific voters. The exposed data included contact information and estimates of political preferences for around eighty percent of voting-age Americans. 

On June 19, researcher Chris Vickery of the security firm UpGuard announced that he had found Deep Root had configured that data to be available to any who visited Deep Root's Amazon cloud storage account without needing to log in. According to a statement from Deep Root, the data was only exposed for two weeks. 

Though the files included contact information, all of the contact information was compiled through publicly available voter files obtainable through state secretaries of state. The files also contained big data approximations of individual's political views.  

The lawsuit claims that Deep Root was negligent in the way it protected data and seeks to cover two classes of victims — the general public and Florida residents in particular. 

Zimmerman said his team was still fact-finding to assess what damages might be. 

Misconfigured security settings are a common, if potentially devastating, mistake. Vickery has built a reputation for scouring unsecured documents and databases to find find major intellectual property infoormation and government secrets accidentally left in the open.

Finds have ranged from login credentials for a top secret U.S. intelligence project being run by a major private contractor, to a private intelligence-assembled terrorist watch list and voter rolls in Mexico. 

“The lawsuit is entirely without merit," a Deep Root spokesman said in a statement. "We will fight it vigorously.”