Information of nearly 200 million registered voters compiled for the Republican National Committee (RNC) was exposed on a database and accessible without a password, according to a story in The Hill.
UpGuard, the security firm which detected the security vulnerability, attributed the leak to a misconfigured database managed by Deep Root Analytics (DRA), a data analytics firm contracted by the Republican party during the presidential campaign.
The data, which included the personal information of nearly all 200 million registered voters – of both political parties – was compiled for DRA with the help of at least two other Republican contractors, TargetPoint Consulting and Data Trust. The data included names, dates of birth, home addresses, phone numbers, and voter registration details, as well as “profiling” details to be considered in targeting political ads – such as voter ethnicity and religion.
The spreadsheets containing the data – more than a terabyte stored on an Amazon Web Services S3 bucket – was last updated around the time of the January 2017 presidential inauguration, according to a statement from UpGuard.
“…anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: dra-dw,” the report stated. “dra-dw” was shown to stand for: Deep Root Analytics Data Warehouse.
“We take full responsibility for this situation,” read a statement from DRA.
The information was viewable by anyone without needing logins. Chris Vickery, a cyber risk analyst at UpGuard, discovered the account, which has since been secured.
“This exposure raises significant questions about the privacy and security Americans can expect for their most privileged information,” the UpGuard report stated. “That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling.”
Commenting on this latest leak of voter records, Ben Johnson, CTO at Obsidian Security, told SC Media on Monday that one has to assume that anything typed into a computer will leak at some point.
Furthermore, he added, the lack of proper cybersecurity hygiene permeates through virtually all job roles and responsibilities within the election ecosystem, as companies, organizations and individuals race to collect, utilize and benefit from data without slowing down to properly safeguard it.
“Accidents happen, but when there are weekly reports of huge leaks of unprotected, sensitive servers, it illustrates a systemic issue,” said Johnson, a former NSA analyst. ” Combine poor practices with motivated and sophisticated adversaries and this picture will only get worse. We must realize that information is power and we are handing over power to our adversaries. It’s time we either fix the end-to-end systems related to elections, or we go back to pen-and-paper. Being in a spot where we optimize for neither is putting democracy at risk.”
Another expert contacted by SC Media, agreed. “When hackers are after your data, they’ll target trusted relationships, usually through a third-party with access to your network,” Fred Kneip, CEO of CyberGRX, told SC Media on Monday.
In the case of the Target breach, for example, it was a small HVAC vendor who may not have viewed information security as a core competency or high priority, Kneip pointed out. “The fact that exposure can occur even through a big data firm versed in data security best practices goes to show that all third parties, regardless of the resources they have to secure your data, are potential attack vectors.”
The only way to identify one’s true cyber risk exposure is to understand all of one’s third parties’ exposure to cybersecurity vulnerabilities, said Kneip. “That means a robust third-party cyber risk management program that continually measures risk and provides recommended measures to mitigate the most pressing threats.”
DRA has hired security firm Stroz Friedberg to investigate the exposure, which lasted from June 1 through 14. It was sealed following Vickery’s detection on June 12 and his alert to regulatory agencies.