Data breaches of Amazon’s cloud computing servers in recent years has civil rights groups questioning whether the e-commerce company can protect voter data in the U.S. elections in November.
The groups, which include Color of Change, Demand Progress and RootsAction, sent a letter Wednesday to Amazon CEO Jeff Bezos asking him to disclose any data breaches the company may have had relating to election data. “We know bad actors are looking for loopholes, like the cloud security compromises, that they can exploit to influence the outcome of our elections,” they wrote.
In the past four years, Amazon has steadily won more government contracts to store voter data for state and local election offices. The company started its foray into U.S. elections in 2016, with a city here and a county there. It now stores voter and election information in more than 40 states.
The company – through Amazon Web Services (AWS), the name of its cloud-computing platform – also powers campaign websites, voter registration databases, election results and more. Amazon has contracted with civic groups, political candidates and election officials for these services, including the League of Women Voters and the State of New Hampshire.
Because Amazon holds so much voter and election information, “a single breach could have catastrophic consequences for election integrity in dozens of states,” the groups said.
Pennsylvania A.G. on election security
10:03
The groups may have reason to be concerned. Hacker groups Strontium of Russia, Zirconium of China and Phosphorus of Iran unsuccessfully attacked both President Donald Trump’s and Joe Biden’s campaigns in September, Tom Burt, Microsoft’s corporate vice president of customer security said in a September post on the company’s blog. Phosphorus also tried to log into the Trump’s campaign staff’s Microsoft accounts in May and June, Burt said.
In their letter, the groups cited three hacks of private information stored on cloud servers provided by AWS. In 2016, Mexico’s entire voter database was hacked and made publicly accessible online until discovered by U.S. security researchers. In 2017, a political consultancy firm named Deep Root Analytics had voter information it was gathering for the Republican Party posted online for 12 days due to a server misconfiguration. Last year, Capital One bank also had 100 million credit card customers’ personal information stolen by a hacker.
Amazon Web Services did not respond to a request for comment. Amazon told Reuters last year that the previous breaches were caused by customer errors and that customers must have their own security protocols for what they store in the cloud.
Yet such incidents raise concerns that gaps in security could be used to manipulate the 2020 elections, the groups said.
“Voter information acquired from a hack or leak could be weaponized to suppress votes and spread disinformation, especially in Black and Brown communities that are targeted and systematically disenfranchised in every election,” they told Bezos.