Groups urge Amazon to disclose any election data breaches
Data breaches of Amazon’s cloud computing servers in recent years has civil rights groups questioning whether the e-commerce company can protect voter data in the U.S. elections in November.
The groups, which include Color of Change, Demand Progress and RootsAction, sent a letter Wednesday to Amazon CEO Jeff Bezos asking him to disclose any data breaches the company may have had relating to voters’ personal information, election results or political party campaign data. “We know bad actors are looking for loopholes, like the cloud security compromises, that they can exploit to influence the outcome of our elections,” they wrote.
In the past four years, more state and local election offices have used Amazon to host and store voter data. The company started its foray into U.S. elections in 2016, with a city here and a county there. Amazon now has clients that store or post voter and election information in more than 40 states.
The company – through Amazon Web Services (AWS), the name of its cloud-computing platform – also powers campaign websites, voter registration databases, election results and more. The League of Women Voters, the State of New Hampshire and other civic groups, political candidates and election offices use Amazon for cloud storage or web services.
Because Amazon holds so much voter and election information, “a single breach could have catastrophic consequences for election integrity in dozens of states,” the groups said.
The groups may have reason to be concerned. Hacker groups Strontium of Russia, Zirconium of China and Phosphorus of Iran unsuccessfully attacked both President Donald Trump’s and Joe Biden’s campaigns in September, Tom Burt, Microsoft’s corporate vice president of customer security said in a September post on the company’s blog. Phosphorus also tried to log into the Trump’s campaign staff’s Microsoft accounts in May and June, Burt said.
Microsoft has software called ElectionGuard that the company says tabulates and secures election results. Amazon however does not have a specialized product for hosting and protecting election data. Rather, Amazon’s cloud offers a more generalized service that clients can adapt to different needs and industries.
Still, the groups cited three hacks of private information stored on cloud servers provided by AWS. In 2016, Mexico’s entire voter database was hacked and made publicly accessible online until discovered by U.S. security researchers. In 2017, a political consultancy firm named Deep Root Analytics had voter information it was gathering for the Republican Party posted online for 12 days due to a server misconfiguration. Last year, Capital One bank also hadpersonal information stolen by a hacker.
Those incidents raise concerns that gaps in security could be used to manipulate the 2020 elections, the groups said.
“Voter information acquired from a hack or leak could be weaponized to suppress votes and spread disinformation, especially in Black and Brown communities that are targeted and systematically disenfranchised in every election,” they told Bezos.
Amazon told Reuters last year that the previous breaches were caused by customer errors. Amazon gives clients suggestions and guidances on how to best safeguard data, but ultimately customers must build their own security protocols for protecting whatever they store.