Thousands of ‘take action’ messages to lawmakers exposed by political advocacy giant

If you emailed your local or federal lawmaker in the last couple of years about legislative reform, there’s a good chance you sent your message through a form built by a little-known Washington, D.C.-based political group.

VoterVoice says its “grassroots advocacy system” allows lobbying firms and groups to alert concerned citizens about hot-topic issues — as well as messaging their lawmakers as part of coordinated campaigns. To most, it’s little more than filling out a form on a website with a prewritten statement, signing your name and hitting send. The company says to date more than 21 million people have sent 36 million messages.

But the company’s exposed storage server has exposed hundreds of thousands of email addresses and other campaign data.

Security researcher John Wethington found the exposed storage server and passed details to TechCrunch in an effort to get the data secured. Despite efforts, VoterVoice stopped responding to our emails and made no efforts to secure the data.

The storage server had thousands of individual folders for each campaign, containing more than 300,000 unique constituent email addresses, as well as home addresses, phone numbers and other personal information that could indicate political persuasions and religious beliefs, said Wethington. Many of the files also contained their corresponding messages to lawmakers and other advocacy and political action groups.

One of the “act now” political action efforts supported by VoterVoice. (Screenshot: TechCrunch)

One file alone seen by TechCrunch contained 4,392 unique names, phone numbers and email addresses of Americans with the same four-paragraph text sent to lawmakers to lobby for Medicare reform. The spreadsheet kept a record of every person who made a submission and to which lawmaker their message was delivered.

“Organizations that provide platforms for outreach, advocacy, and lobbying hold some of the most sensitive information about the individuals and clients their platforms support,” said Wethington. “Exposure of this information allows malicious actors to target individuals easily. One can easily imagine a scenario where an extremist group with access to this type of information could identify individuals based on any of these private attributes.”

“There’s so much data exposed that we may never know the full breadth and depth of risk these users were exposed to,” he said.

It’s not known for how long the storage server was exposed. The server was created by a VoterVoice staffer, who was rolled into FiscalNote after its acquisition of VoterVoice in 2017.

When reached, VoterVoice founder Neal Fuller said he was “not really in any position to confirm” whether the server was exposed during his tenure as chief executive. “I sold VoterVoice to FiscalNote in July 2017,” he told TechCrunch, and said he has not been involved in the company since.

After publication, FiscalNote sent a statement through a public relations firm, which falsely claims the leak was limited to a single organization. TechCrunch is printing the company’s statement with that caveat.

“This matter was limited to one organization and 4,392 names, phone numbers, and email addresses of Americans containing the same four-paragraph text sent to lawmakers to lobby for Medicare reform as part of that organization’s education campaign,” the statement said. It added: “It is also important to note that VoterVoice users are notified that all communications with lawmakers — whether it is a public petition, direct contact with the official’s website, or a comment made during the federal regulatory rule-making process — is not private and in the public domain in that it can be also obtained via a FOIA or public information request to Congress.”

FiscalNote’s statement added that it’s “committed to the security and privacy of our users,” yet the storage server was still exposed.

After we sent a file containing more than 80,000 user records and dozens of confidential contracts signed by customers of VoterVoice, the storage server was finally secured.

Updated with statement from VoterVoice parent company FiscalNote and later