If you emailed your local or federal lawmaker in the last couple of years about legislative reform, there’s a good chance you sent your message through a form built by a little-known Washington D.C.-based political group.
VoterVoice says its “grassroots advocacy system” allows lobbying firms and groups to alert concerned citizens about hot-topic issues — as well as messaging their lawmakers as part of a coordinated campaigns. To most, it’s little more than filling out a form on a website with a prewritten statement, sign your name, and hit send. The company says to date more than 21 million people have sent 36 million messages.
But the company’s exposed storage server has exposed hundreds of thousands of email addresses and other campaign data.
Security researcher John Wethington found the exposed storage server and passed details to TechCrunch in an effort to get the data secured. Despite efforts, VoterVoice stopped responding to our emails and made no efforts to secure the data.
The storage server had thousands of individual folders for each campaign, containing more than 300,000 unique constituent email addresses, as well as home addresses, phone numbers and other personal information that could indicate political persuasions and religious beliefs, said Wethington. Many of the files also contained their corresponding messages to lawmakers and other advocacy and political action groups.
One file alone seen by TechCrunch contained 4,392 unique names, phone numbers and email addresses of Americans with the same four-paragraph text sent to lawmakers to lobby for Medicare reform. The spreadsheet kept a record of every person who made a submission and to which lawmaker their message was delivered.
“Organizations that provide platforms for outreach, advocacy, and lobbying hold some of the most sensitive information about the individuals and clients their platforms support,” said Wethington. “Exposure of this information allows malicious actors to target individuals easily. One can easily imagine a scenario where an extremist group with access to this type of information could identify individuals based on any of these private attributes.”
“Theres so much data exposed that we may never know the full breadth and depth of risk these users were exposed to,” he said.
It’s not known for how long the storage server was exposed. The server was created by a VoterVoice staffer, who was rolled into FiscalNote after its acquisition of VoterVoice in 2017.
When reached, VoterVoice founder Neal Fuller said he was “not really in any position to confirm” whether the server was exposed during his tenure as chief executive. “I sold VoterVoice to FiscalNote in July 2017,” he told TechCrunch, and said he has not been involved in the company since.
We’ll update if we hear back from FiscalNote.