Cloud Security Error Exposes Half a Million Voters' Personal Information

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Another day, another cloud leak: Kromtech researchers recently came across a misconfigured CouchDB database exposing information on 593,328 Alaskan voters.

"When the database was configured, administrators bypassed important security settings that were set to 'public' instead of 'private,' allowing anyone with an Internet connection to gain access [to] the repository," Kromtech chief security communications officer Bob Diachenko wrote in a blog post analyzing the breach.

The data was part of VoterBase, a national voter file compiled by political data and technology provider TargetSmart.

Third Party Exposure

In a statement provided to Kromtech, TargetSmart CEO Tom Bonier blamed the breach on a third party. "We've learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart, and that a database approximately 593,000 Alaska voters appears to have been inadvertently exposed, but not accessed by anyone other than the security researchers on our team and the team that identified the exposure," he said.

Kromtech vice president of strategic alliances Alex Kernishniuk said in a statement that it's time for regulators to move forward on managing an aging electoral system that seems to be struggling to keep up with the digital age. "This is yet another wakeup call for companies, governments, and political organizations to audit their networks, servers and storage devices and ensure they take the proper security precautions," he said.

Other misconfigured cloud databases recently discovered by Kromtech held 3,065,805 WWE fans' personal information and 48,000 Indian citizens' personal data.

Recent Skyhigh Networks research found that 7 percent of all Amazon S3 are set to allow unrestricted access, and 35 percent are unencrypted.

Securing the Cloud

Dome9 co-founder and CEO Zohar Alon told eSecurity Planet by email that it's more important than ever for companies to define strict controls and practices for the handling of sensitive data. "Attackers are looking for two things: repositories with data of value to organizations, and weak security practices," he said.

"As more data makes its way to the public cloud and security practices around CouchDB become more standardized and robust, attackers will shift their attention to other low-hanging fruit, and exploit commonly known security gaps such as misconfigurations," Alon added.

A recent Bitdefender survey [PDF] of 1,051 IT security professionals found that nine in 10 U.S. respondents are concerned about public cloud security, and 15 percent do not deploy security for sensitive data stored outside their company's infrastructure.

One third of U.S. companies secure 31 to 60 percent of data stored in the public cloud, while just one in five encrypts all data stored there.

"With 2017 having already set new records in terms of the magnitude of cyber attacks, boards should be aware that it's only a matter of time until their organization will be breached, since most still lack efficient security shields," Bitdefender Senior eThreat Analyst Bogdan Botezatu said in a statement.