A consumer-grade network attached storage (NAS) device owned by Rice Consulting, a fundraising firm working primarily with the Democratic Party, containing client data and passwords giving access to other organizations, was left publicly accessible, a cybersecurity research firm discovered.
The factory-set authentication of the Buffalo TeraStation NAS device was disabled, leaving it open to being spotted and indexed by Shodan or Google’s IoT search engine, Hacken Director of Cyber Risk Research Bob Diachenko wrote. Researchers could see in the device’s access log that connections were made to it starting on February 22, 2018, from Turkey, South Korea, Thailand and other countries. While there is no indication the data was viewed or removed by malicious actors, Diachenko noted it is possible.
“Storage contained detailed information on each of the Rice Consulting clients (past, current, and potential), e-mail databases with details on thousands of fundraisers (phones, names, emails, addresses, companies), contracts, meeting notes, desktop backups, employee details, etc,” Diachenko wrote.
Information possibly even more important than fundraiser PII also resided on the NAS. The login credentials were found in an unencrypted Excel spreadsheet for a privately owned database and web hosting provider used by the American Democratic Party, and non-profit organizations authorized by the Democratic Party, such as the Maryland Voter Activation Network, the Democratic Legislative Campaign Committee, and Democratic National Committee (DNC) email accounts.
The Democratic Party National Committee was victimized in the run up to the 2016 election by what was at the time determined to be Russian hackers. A June 2016, CrowdStrike forensics investigation into a pair of intrusions at the DNC pinned the hacks on the Russian APT groups Cozy Bear and Fancy Bear, known to be connected to Russian intelligence.
“What’s most striking about the Rice Consulting data leakage is the failure to secure sensitive voters’ and donors’ data with the most basic measures, such as private servers, fire-walling, restricting access to a small number of IP addresses, etc.,” said Mike Bittner, digital security and operations manager of The Media Trust. “Any organization that processes data should keep in mind that cybercriminals are on a constant lookout for publicly accessible servers, and if their company is known to deal with political campaigns, bad actors will expect to find a trove of voter information.”
According to Rice Consulting’s website, the firm helps organizations “develop a long-term strategy to reach” their fundraising goals, noting that since its inception in 2001, it has worked “with the Maryland Democratic Party as well as countless Statewide, General Assembly, County and local elected officials and candidates.” SC Media has reached out to Rice Consulting for a comment.