A contractor working for the Republican National Committee (RNC) left more than 198 million Americans’ personal information exposed online in a misconfigured database, UpGuard researcher Chris Vickery recently found.
The 1.1 terabytes of data, which covered almost all of America’s 200 million registered voters, included names, birthdates, home and mailing addresses, phone numbers, registered parties, racial demographics and voter registration status.
The information was held in an unprotected Amazon Web Services S3 bucket owned by Deep Root Analytics (DRA), and had been compiled by DRA along with two other Republican contractors, TargetPoint Consulting and Data Trust.
Anyone with any Internet connection could access the data simply by accessing the Amazon subdomain “dra-dw,” for “Deep Root Analytics Data Warehouse.”
9.5 Billion Data Points
According to UpGuard, the data was key to the RNC’s data operation for the 2016 presidential election, which compiled about 9.5 billion data points to score 198 million potential voters on their likely political proferences.
“This exposure raises significant questions about the privacy and security Americans can expect for their most privileged information,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in a blog post.
“It also comes at a time when the integrity of the U.S. election process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to our most important democratic and governmental institutions,” O’Sullivan added.
In a statement published on June 19, Deep Root Analytics said it has “updated the accessed settings and put protocols in place to prevent further access.”
“Deep Root Analytics maintains industry standard security protocols,” the company added. “We built our systems in keeping with these protocols and had last evaluated and updated our security settings on June 1, 2017.”
A Gift to Hackers
CyberScout chairman and founder Adam Levin told eSecurity Planet by email that the exposed data could prove a treasure trove for creative hackers.
“They can pose as anyone from a political action committee or local voting board to the IRS or a bank in phishing emails, to coax additional information from voters, such as Social Security numbers for identity theft, or they can influence the voting process directly,” Levin said.
“Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene,” Levin added. “This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as continual monitoring for unusual data exfiltration.”
Tim Prendergast, CEO of Evident.io, said it’s important to remember that the breach wasn’t the result of malware or a hack. “This was simply a case of human error and poorly defined policies, and it highlights why ‘intent to secure’ isn’t enough,” he said. “Continuous enforcement of strict security is table stakes at this point and it’s clear that it’s mandatory.”
“Consider all public cloud customers and all their users across the globe — some level of unintended, inadvertent exposure is certainly happening in many organizations,” Prendergast added. “They may have yet to surface, but unless these organizations are aware and able to remediate problems, their data breach could be the next headline.”
Cybernance CEO Mike Shultz said the greatest threat an organization faces usually isn’t an outside attacker — it’s the people inside the organization and their mistakes. “The lack of safeguards around the people, processes and policies of this organization have culminated in a massive, embarrassing and extremely troubling leak,” he said. “This event suggests that there is no emphasis on cyber literacy or training within the company, which is disturbing given the sensitive and private nature of their product and offering.”
Third Party Risks
And Sam Elliott, director of security product management at Bomgar, said the breach should serve as yet another reminder of the risks presented by contractors and third parties. “Organizations in the public and private sectors alike are increasingly working with external vendors who either have access to or store sensitive data,” he said. “This significantly increases the risk of that information being leaked or a breach occurring due to a contractor being compromised, as was the case with the historic OPM breach.”
“Organizations that falsely assume their contractors uphold the same security standards as they do open themselves up to risk in today’s heightened environment,” Elliott added. “To stay safe, companies must set security policies for all external groups and enforce adhering to them as a prerequisite for doing business.”