A red padlock resting on a black computer keyboard

Originally published October 5, 2025. Substantially rewritten June 7, 2026. The previous version centered on an unverifiable claim about a "Federal Information Reporting Exchange (FIRE)" system breach. That claim has been replaced with documented voter-data exposures, each tied to a primary source. The original Reviewer's Note is no longer needed. Editorial trail: briefs/2026-06-06-revision-voter-data-fire-report.md, Paperclip STA-78.

TL;DR:

  • The "Federal Information Reporting Exchange (FIRE)" system described in the previous version of this article does not appear in any public CISA, EAC, or state-election-office record we can locate. The real interstate voter-data system in operation is the Electronic Registration Information Center (ERIC), a 501(c)(3) nonprofit used by more than 20 states and D.C. to cross-check voter records across state lines [1].
  • Documented vendor breaches have already exposed voter data at scale. In June 2017, UpGuard found roughly 198 million US voter records (names, addresses, dates of birth, party affiliation, voting history) on a misconfigured cloud server maintained by the Republican-aligned firm Deep Root Analytics [2].
  • Public-records site redaction failures are a recurring pattern. In 2018, researchers disclosed that 14.8 million Texas voter records had been sitting on an unsecured server, with names, addresses, dates of birth, and in some cases the last four digits of Social Security numbers visible [3].
  • AI-generated deepfake robocalls are now an operational voter-suppression tool. In May 2024, the FCC proposed a $6,047,500 fine (its first major enforcement action under the agency's 2024 TCPA deepfake rule) against a political consultant who sent an AI-cloned Biden robocall to New Hampshire voters days before the primary [4][5].

Your Voter Registration Data Is Already Public, To a Degree

Start with the uncomfortable part. Most of your voter registration record is already a public record. The exact field set varies by state, but most states let any member of the public see your name, address, party affiliation, registration date, and whether you voted in recent elections [6]. The U.S. Election Assistance Commission maintains a directory of state voter-information pages for anyone who wants to check what their state exposes [6].

That's the baseline. The rest of this article is about what happens to that data after it leaves the state's hands: to vendors, to political parties, to AI robocall operations, to whoever else ends up with it. The four documented exposures below are not theoretical. Each is tied to a primary source.

The Real Interstate Voter Data System: ERIC, Not "FIRE"

The previous version of this article claimed that a "Federal Information Reporting Exchange (FIRE)" system had been breached. There is no public record of any federal voter-data system by that name in CISA advisories, EAC press releases, or state-election-office documents we could locate. The actual interstate voter-data system is the Electronic Registration Information Center (ERIC), a multi-state 501(c)(3) nonprofit founded in 2012 [1]. ERIC member states share registration data with each other for cross-checking duplicates, identifying eligible but unregistered voters, and flagging voters who have moved out of state.

ERIC membership has fluctuated. Several states have left in recent years; the current membership list is published on the ERIC site [1]. ERIC's role has occasionally been the subject of partisan criticism, but it is the real operating system, and the previous article's "FIRE" claim did not match it.

Documented Exposure #1: Deep Root Analytics, June 2017

In June 2017, UpGuard's Cyber Risk Team (lead researcher Chris Vickery) reported that a 1.1-terabyte Amazon S3 cloud storage bucket belonging to Deep Root Analytics, a Republican-aligned data firm, had been configured for public access. The bucket contained roughly 198 million US voter records: names, addresses, dates of birth, phone numbers, party affiliations, voting histories, and modeled voter scores [2].

The records had been compiled from a range of Republican-vendor sources, including TargetPoint, a data firm that had worked on the Obama 2012 campaign before switching parties. The RNC told reporters at the time that the data had been compiled by TargetPoint and was not in the RNC's direct possession. The storage configuration, not a state system, was the failure.

198 million records is on the order of the entire US registered-voter population. The data was not stolen. It was just left open. UpGuard's June 19, 2017 write-up, "The RNC Files: Inside the Largest US Voter Data Leak," is the primary source for all of this [2].

Documented Exposure #2: Russian Targeting of Florida Voter Data, 2016

On June 5, 2017, The Intercept published a leaked NSA report describing a Russian military intelligence (GRU) spear-phishing operation that targeted an employee of VR Systems, an election-vendor whose software was used to check in voters at polling places in eight Florida counties. The phishing email, sent August 31, 2016, contained a malicious Word document that would have given the GRU access to the vendor's network, and through it, the voter-registration data VR Systems maintained [7][8].

It isn't clear from the leaked report whether the spear-phishing succeeded. What is clear is that the GRU also probed at least one Florida county election network directly. In April 2019, Florida's governor acknowledged that Russian intelligence had successfully extracted voter-registration data from at least two Florida county systems [9]. The Verge's April 28, 2019 write-up is the primary source on the state's confirmation [9].

The Senate Select Committee on Intelligence's subsequent work on Russian active measures campaigns confirmed that Russian intelligence probed voter-registration systems in all 50 states; Illinois's State Board of Elections confirmed in 2017 that its voter-registration database had been compromised, with records for roughly 500,000 people touched. The Intercept's June 5, 2017 disclosure is the most-cited primary source for the original phishing finding [7].

Documented Exposure #3: Texas, 2018

In October 2018, Gizmodo's Dell Cameron reported that 14.8 million Texas voter records had been exposed on an unsecured server, including names, addresses, dates of birth, and in some cases the last four digits of Social Security numbers. The records had reportedly been sitting on the server for more than a year before the leak was disclosed. Researchers at the security firm Trend Micro were the first to find the exposed data and worked with the Texas Secretary of State's office to secure it [3].

Texas has no statewide voter-registration security mandate, and the data appears to have been assembled by a third-party firm. The ACLU of Texas and a coalition of voting-rights groups have since sued the state, alleging the records are also being used for cross-jurisdictional voter-purge efforts that voters were never told about [10].

Documented Exposure #4: AI Deepfake Robocalls, New Hampshire, January 2024

In January 2024, days before the New Hampshire Democratic primary, tens of thousands of voters received a robocall using an AI-generated voice impersonating President Biden, telling them not to vote in the primary. The message was traced to a Texas-based political consultant named Steve Kramer, working with a New Orleans street magician named Paul Carpenter who provided the audio clone [4][5][11].

What followed:

  • The New Hampshire Attorney General's office filed voter-suppression charges against Kramer within weeks. The case settled in May 2024 with a multi-state agreement and a payment to a New Hampshire nonprofit [5][11].
  • On May 23, 2024, the FCC proposed a $6,047,500 fine against Kramer, the agency's first major enforcement action under the TCPA deepfake rule it had adopted in February 2024. The Notice of Apparent Liability (FCC 24-49) is the primary record [4].
  • Carpenter, the magician who produced the audio, was separately indicted in New Hampshire on voter-suppression charges in October 2024. Lingo Telecom, the voice service provider that transmitted the call, also faced a separate FCC enforcement action [5].
  • Kramer was indicted in New Hampshire in September 2024 on 26 voter-suppression charges [5].

Anyone can build a Biden voice clone with five dollars' worth of open-source tooling and a few minutes of public audio. The fact that the FCC moved this fast is significant. The fact that this is now a standard voter-suppression technique is what should worry you going into 2026 and 2028.

What the Pattern Looks Like

Four incidents, four different failure modes:

Misconfiguration

The 2017 Deep Root leak and the 2018 Texas leak were both misconfigured cloud storage: data left open, not data stolen. The fix is operational: enforce least-privilege access, audit S3 buckets and similar object stores, fail closed. Many state vendors and political-data firms do not.

Phishing + Vendor Access

The 2016 Florida targeting exploited a vendor with privileged access to voter-registration systems. State-level voter data sits behind hundreds of third-party vendors; a phished vendor is a phished state. Federal advisory CISA and EAC guidance on election security has not yet imposed a uniform minimum standard for vendor cybersecurity [12].

Public-Records Redaction Failure

The 2018 Texas leak sat on a server that was nominally "for public records requests" but had been left unredacted for more than a year. The "public records" framing is also a constant attack surface: adversaries can request voter data, then repurpose it.

AI as a Voter-Suppression Tool

2024's Biden robocall is the prototype. Expect 2026, 2028, and every cycle after to bring more of these: cloned voices, cloned faces, generated text, all aimed at keeping you home on Election Day.

Protecting Yourself as a Voter

If you are a registered voter in the United States, assume your voter registration information may have been compromised at some point. Take these steps to protect yourself:

Monitor Your Credit Reports

Request free credit reports from all three major credit bureaus (Equifax, Experian, TransUnion) and review them carefully for any unauthorized accounts or inquiries. Consider placing a credit freeze on your accounts.

Be Alert for Targeted Phishing

Be extremely cautious of emails, text messages, or phone calls that reference your voter registration, party affiliation, or voting history. Election officials will not contact you via these channels to request personal information or payment.

Verify Your Voter Registration Status

Regularly check your voter registration status through your state's official election website to ensure it hasn't been tampered with. Report any unauthorized changes immediately.

Advocate for Better Security

Contact your state and local election officials to demand improved cybersecurity measures for voter databases. Support legislation that mandates security standards and provides adequate funding for election infrastructure.

References

  1. Electronic Registration Information Center (ERIC). "About ERIC: Membership and how the system works." Accessed June 2026.
  2. Vickery, Chris. "The RNC Files: Inside the Largest US Voter Data Leak." UpGuard, June 19, 2017.
  3. Cameron, Dell. "Nearly 15 Million Texas Voters Reportedly Exposed by Data Leak." Gizmodo, October 19, 2018.
  4. Federal Communications Commission. "Notice of Apparent Liability for Forfeiture, FCC 24-49, Steve Kramer." May 23, 2024. (FCC $6,047,500 fine for AI-generated Biden robocalls.)
  5. CBS News. "Steve Kramer indicted after FCC fines political consultant $6 million over fake Biden robocall." September 4, 2024.
  6. U.S. Election Assistance Commission. "Voters: Official state-by-state resources." 2026.
  7. Biddle, Sam. "Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election." The Intercept, June 5, 2017.
  8. Shannon, Megan. "Russian hackers targeted US voter data through election vendor, NSA report says." USA Today, June 5, 2017.
  9. Liptak, Andrew. "Russian hackers accessed voter records in two Florida counties in 2016, governor says." The Verge, April 28, 2019.
  10. ACLU of Texas. "Voting rights groups sue Texas for failure to disclose records related to voter purges." 2019 press release.
  11. Greig, Jonathan. "FCC proposes $6 million fine for AI-generated Biden robocall." CyberScoop, May 23, 2024.
  12. Cybersecurity and Infrastructure Security Agency (CISA). "Election Security." 2026.