Breach, Compliance Management, Data Security, Incident Response, Malware, Privacy, TDR, Vulnerability Management

Sites associated with both presidential contenders spring leaks

Proving that accidentally exposing sensitive information and data theft can be bipartisan, leaks of personal information have been siphoned out from databases connected to both presidential campaigns.

On the blue side, records of nearly a thousand donors to a political action committee (PAC) supporting Hillary Clinton were stolen between January and April. The data was housed in a spreadsheet residing on Amazon's cloud. It was detected by security researchers at the MacKeeper Security Research Center.

The database belonged to the Balance of Power PAC, a California-based organization, which backs Clinton's campaign and advocates for progressive causes.

The purloined information included names, email addresses, home addresses, occupations and phone numbers. Donation amounts and methods of payment were also breached, though personal financial data was not part of the spreadsheet.

The PAC's treasurer said the data was hosted by a New Zealand-based software company, BuddyBid, which, he added, the PAC ceased doing business with months ago.

On the red side, dozens of résumés of a number of people who applied for internships with the campaign of Republican presidential hopeful Donald Trump were exposed owing to a misconfigured setting on the Amazon S3 server hosting the candidate's website.

Chris Vickery, lead security researcher of the MacKeeper security research team, said in a blog post on Wednesday that after discovering Trump's asset repository, he poked around and detected a folder named “resumes.”

Because the site designer configured automated script to move files into the résumé directory, Vickery said he figured out how an automated script would assign names. He began with “resume_1.pdf,” which loaded a download dialogue window. "The file contained a glut of personal details, work/education history, and references for a young person hoping to become an intern with the Trump campaign," he wrote on his post.

He was quickly able to gain access to two dozen names via basic filename fuzzing; for instance, “resume2.docx” to “resume_9.pdf” and “resumeDT.pdf.”

Vickery notified the Trump staff of the exposure, after which the proper server permissions were applied.

"Ultimately, this was an entirely avoidable mistake on the part of Trump's tech staff," Vickery wrote.

Campaigns are often difficult entities to secure as they aren't permanent organizations and their staff and needs change rapidly, Tim Erlin, senior director of IT security and risk strategy at Tripwire, told on Thursday..

“Cybersecurity isn't a partisan issue," he told SC. "Both Democrats and Republicans alike are capable of misconfiguring settings and failing to patch vulnerabilities. Campaigns do handle sensitive information routinely, and securing that data needs to be part of their charter from the start.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.