Breach, Cloud Security, Data Security, Network Security

No recourse, perhaps, for 200M affected in breach of RNC database, attorney says

The 200 million registered voters whose personal details were compromised in a massive data breach face an uphill battle should they choose to petition for a class-action suit or seek recompense for the exposure.

The breach has been attributed to a misconfigured database managed by Deep Root Analytics (DRA), a data analytics firm contracted by the Republican party during the presidential campaign. The data included names, dates of birth, home addresses, phone numbers, and other details for registered voters from both political parties.

When asked if those affected might have any recourse, Everett L. Monroe, an attorney at Hanson Bridgett, a law firm with more than 150 attorneys in offices throughout California, told SC Media that the outcome is not certain.

"Affected people may not have a clear way to get recourse because most laws about data security and data breaches don't contemplate the kinds of harms we will see from what happened here," Monroe said. "Some states have laws requiring that businesses have reasonable security measures in place to protect personal information, but those laws are generally directed toward financial harms like identity theft. The information here, while many would consider it sensitive, probably wouldn't be subject to those laws."

Other tort causes of action, like invasion of privacy or publication of private facts, often requires that the information either be obtained in an improper manner or not be publicly available," he told SC. "It sounds like the exposed information was collected from publicly available sources, which makes it difficult for individuals to successfully sue on those grounds."

And when pressed on whether there are regulations on the books to penalize offenders who don't secure their systems, Monroe pointed to gray areas and ambiguities in the various state laws.

Some key findings

93% will use sensitive data in an advanced technology environment this year 

63% of enterprises are using advanced technologies without securing sensitive data 

59% of respondents voiced worries about security breaches from attacks targeting cloud service providers

– 2017 Thales Data Threat Report, Advanced Technology Edition

"A number of states have requirements that businesses implement reasonable security measures to protect personal information, typically enforceable by the Attorney General of the state, but (as above) those laws are not typically designed to protect the kind of data exposed here," he told SC.

In addition, he said, the Federal Trade Commission and other, more specialized federal agencies do have some data security requirements. "But it is not clear to me that any of those federal agencies would have the authority to pursue this kind of incident."

Monroe said he would not expect class action suits to follow. "I don't see an easy way forward for those class action suits because I can't think of a legal recourse that quite fits the injury," he said. "Finding a viable class action suit for something like this will be cramming a square peg into a round hole."

Judy Selby, national lead of cyber insurance and data privacy in BDO's Technology Advisory Services practice, agreed that the inconsistencies in applying various state laws to the data breach make prosecution problematic. 

The question of what recourse do the people affected have can't be answered in a vacuum, she told SC, because it is largely a matter of state law. "Different states have different laws concerning voter information, and some voter information is considered public, while other information may be considered confidential."

It also likely depends on whether there was any unauthorized access to the information, Selby said. "Another factor will be whether any relevant law or regulation prescribes how protected voter information should be stored and secured. It will be important to identify the states the affected voters were registered in, and determine if and how those states' laws or regulations would apply."

Slawomir Ligier, SVP of engineering at Skyhigh Networks, told SC that voter registration data breaches have become commonplace, but they have never been more dangerous. "With third-party data analytics companies creating individual profiles for every voter, a breach can leak information down to an individual's stance on specific policies. Factoring in the threat of foreign interference in domestic elections, keeping voter information safe becomes an element of democratic infrastructure."

However, he added, Deep Root may not face significant repercussions in the current environment. "The organization claims the data was publicly available, and only some U.S. states have laws regulating voter information," Ligier said.

In contrast, he pointed out, the EU has recently taken steps to crack down on careless data protection practices with the General Data Protection Regulation (GDPR), taking effect in a year. "The law sets harsh fines for any loss or unauthorized sharing of data on an individual, designed to make companies think twice about collecting information they cannot protect. This breach may leave U.S. citizens wondering when their GDPR will arrive.”

Lack of security

SC Media received a number of responses from other security and privacy experts. Many told SC that the problem is a lack of security or a failure by those charged with maintaining security controls.

John Bambenek, threat intelligence manager, Fidelis Cybersecurity: We talk about election related hacking and manipulation, but the reality is, most campaigns aren't adopting basic measures to protect their critical information. This voter file is worth tens of millions dollars and it was put on the internet without any attempt to secure it.

This data can't be used to manipulate elections directly, but it political parties do use it to craft specific and targeted messages to voters based on their interests. There is no reason a foreign government couldn't use this data to do the same. At the point, we have no idea who else downloaded this information, but it was available publicly on the internet for some time before it was discovered.

Adam Levin, chairman and founder of CyberScout and author of Swiped: Like political operatives, hackers constantly search for ways to move a person to take a particular action. This database, with political preferences and other private information for millions of Americans, is a treasure trove for creative hackers. They can pose as political action committees or local voting boards in phishing emails, to coax additional information from voters, such as Social Security numbers for identity theft, or they can influence the voting process directly. Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene. This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as constant monitoring for unusual data exfiltration. Cybersecurity requires constant vigilance since intruders need only find one tiny point of vulnerability, while defenders must get everything right. For the sake of everyone involved, especially the almost 200 million Americans on this database, we can hope that Vickery was the only person to discover this database.

Ken ​Spinner, VP of field engineering, Varonis: Exposing personal details of over 198 million Americans shines a light on how important it is to manage access control and secure data, regardless of where it's stored. Contractors and third-parties like Deep Root need to maintain good cybersecurity and data protection practices, while organizations need to audit their contractors for compliance - and make sure they follow best practices in protecting their shared data.

In the case of the RNC voter data, it appears that the exposed sensitive information goes beyond personal data (names, addresses, phone numbers) and includes analysis on potentially controversial topics and political issues – all of it sitting on a publicly accessible Amazon server.

Exposing this type of data – and this much of it – is a huge red flag: not only can critical data and research be compromised, but personal data can be leveraged to breach more secure systems.

Organizations – including contractors – need to make sure their data has basic controls in place. Data can't be open to everyone, users shouldn't be able to access what they're not supposed to, and all access should be monitored and recorded. You can't catch what you can't see, and too many organizations are flying blind. 

"In this era, organizations find the task of controlling business critical data harder than ever."

– Itsik Mantin, director of security research at Imperva

Itsik Mantin, director of security research at Imperva: From the public information available, it seems that the voter database was found in a place where anyone from any point in the virtual world can access it.

It is not the first time that a security researcher scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data. What's unique in this event is the quantity and the sensitivity of the data that was kept negligently.

The Artificial Intelligence era we're living in, with AI solutions flourishing in almost every domain, is also the data era, as data is the material from which AI is made. In the data era, you collect what you can, store what you can, either for using it today for a specific purpose, or for using at some point in the future for a yet-to-be-known purpose, using a yet-to-be-developed algorithm.

In this era, organizations find the task of controlling business critical data harder than ever, tracking the number of places where it is stored and cloned, as well as control of who accesses the data - when, why and for what purpose, legitimate or not. And even the organization that builds the perfect data security solution, monitoring, analyzing and assessing every data access, loses control when disclosing sensitive data to partners or customers, or even when one of its users decides to leak this data for ideological, financial or any other reasons.

Michael Patterson, CEO of Plixer: In the age of big data analysis, our personally identifiable information (PII) is being collected and stored by nearly every organization with which we interact. The manufacturers of software require acknowledgments of their end user license agreements (EULAs), which nearly everybody agrees to without reading. EULAs grant permission for these companies to gather and store data about you. Deep Roots Analytics has gathered a significant amount of PII, and placed that data online without properly protecting it.  The theft of PII is rampant.  Every time a third party irresponsibly posts data or they are breached, people's lives are impacted. Bad actors are able to correlate stolen data from multiple sources to piece together the information they need to make monetary gains.  Any data that is connected to the internet is vulnerable. It is the responsibility of any organization gathering and storing PII to take best practice approaches to monitoring the integrity of that data and providing timely notification if that data is compromised.

Brad Keller, senior director, third party strategy, Prevalent: The information disclosed by third party vendor Deep Root Analytics seems at first glance to not be especially noteworthy – voter names, addresses, birthdates, and other “phone book” types of data. However, close consideration reveals that this information, previously valued in at tens of millions of dollars to its owners, is now essentially worthless to the companies who provided it to Deep Root. In addition, this type of information serves as an important component in identity theft and other criminal activity. 

The breach illustrates how a single event can negatively impact dozens of companies, and potentially hundreds of millions of individuals. Every company who provided data to Deep Root Analytics has permanently lost the value of that data. The true impact on individuals is less clear as the extent of “market information” on individuals is unknown. For the Republican National Committee (RNC) their election strategy –  what information is important to them and how they use it – has been revealed. 

While this was voter information, it could have just as easily been a company's go-to-market strategy for a new product, proprietary intellectual property, or a marketing campaign tied to an unannounced merger or acquisition. The point is that even information that may seem benign at first glance, can be extremely valuable and create direct economic loss, if not properly protected.

Human problem

A number of experts said the breach was the result of a human being problem, claiming that Rit is the responsibility of a public cloud customer to make certain security procedures are not only in place, but maintained.

Sam McLane, head of security engineering, Arctic Wolf: This is another great example of a serious security breach caused by people being lazy. Leaving sensitive data accessible to anybody on the internet is something my eight-year-old knows is wrong, and we have grown people who are doing this. It's time to rethink security and understand that it's not a technology problem but a human being problem. Technology has a place, but a human-centric security approach is the only way you can stop these kinds of preventable security lapses.

"The average citizen likely doesn't appreciate the level at which this kind of data drives the political process."

– Tim Erlin, VP of product management and strategy at Tripwire

Tim Erlin, VP of product management and strategy, Tripwire: The average citizen likely doesn't appreciate the level at which this kind of data drives the political process. This is a treasure trove of personal information that was sitting unprotected on the internet. The headline may be the discovery that this data was accessible, but the real concern is who accessed it previously without reporting the misconfiguration. When data is simply left accessible, without basic, foundational security controls, there's no hacking required to gain access.

The cloud may solve many problems, but it doesn't magically secure your applications or data. Organizations need to ensure they're implementing the same basic controls, regardless of where the systems reside.

Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.

Terry Ray, chief product strategist, Imperva: This was less a leak, but was rather an identified exposed server. From the information provided, the data is not known to have been stolen necessarily. It sounds to me that this is another case of incorrectly secured cloud-based systems.  Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data center controls of an in-house, non-cloud data repository.

With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there's also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.

Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds. The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.

There's also the challenge presented by the lack of security knowledge and understanding in the people working most closely with the data: data scientists and developers. Data scientists, with their skills and experience working with structured and unstructured data to deliver new insights, don't necessarily think about the security of the data. It's not surprising given that new technologies have encouraged data scientists to view big data as a giant sandbox where they are the owners and can decide how the data will be used. While most development projects rely on access to non-sensitive, test data instead of live, production data, big data application development by its nature often falls outside of the more secure processes set up within IT. And with higher-access privileges than many others in the organization, developers also present a greater security risk either through accidental means or malicious intent.

The number and breadth of data breaches continues to grow, therefore it is crucial that everyone understands and prioritizes implementing better security for big data.

Rich Campagna, SVP of products, Bitglass: This exposure reinforces the fact that while cloud applications can be secure, it is up to the enterprise to use those applications securely. In this case, technologies exist to quickly, easily and cost effectively encrypt sensitive information, such as voter PII, en route to the cloud, ensuring that even after unauthorized access events, the data remains protected.

Tim Prendergast, CEO of Evident.io: The RNC vulnerability was not a hack and malware wasn't deployed. This was simply a case of human error and poorly defined policies, and it highlights why "intent to secure" isn't enough. Continuous enforcement of strict security is table stakes at this point and it's clear that it's mandatory. Consider all public cloud customers and all their users across the globe - some level of unintended, inadvertent exposure is certainly happening in many organizations. They may have yet to surface, but unless these organizations are aware and able to remediate problems, their data breach could be the next headline. Security is not a one-and-done proposition; it needs to be continuously monitored, enforced, and addressed.

Mike Shultz, CEO, Cybernance: The fact that these confidential files were left on a publicly accessible server should not be a surprise. An organization's greatest threat is usually not an outside attacker, it's the people inside the organization and their mistakes that are the most frequent offenders. The lack of safeguards around the people, processes and policies of this organization have culminated in a massive, embarrassing and extremely troubling leak. This event suggests that there is no emphasis on cyber literacy or training within the company, which is disturbing given the sensitive and private nature of their product and offering.

Simply put, leadership is ultimately responsible for driving a cyber-conscious culture. The U.S. government is cracking down on the sloppy mishandling of sensitive data by assigning responsibility to organizational heads and imposing financial repercussions on those that don't comply. The recent Executive Order on Cybersecurity of Federal Networks designates agency heads as personally responsible for the cyber risk management of their agencies. Similar sentiment exists in New York's Department of Financial Services mandate that places the responsibility of securing customer financial data on the shoulders of company board members and executives. If the embarrassment of disclosing a data breach or leak isn't enough to sway company executives to take security seriously, then perhaps financial penalties and liability—both personal and company-wide—will help jump-start the cyber awareness culture our country so desperately needs.

The revelation that the RNC data was exposed via DRA and vulnerable to unauthorized parties is indicative of a national problem. This is a big deal, because it's the latest discovery in a string of incidents that have put our national security and economy in danger. Every cyberattack or data breach is a direct attack on our economy. The damages from the NSA leak have only just begun – the Wannacry attack is merely the start to what is possible when bad actors get their hands on our vulnerabilities. The Yahoo breach had a huge financial impact on a leader in the communications industry. The DNC email breach was a threat to our democracy. The Sony hack was an international act of aggression. And all of these were preventable through establishing procedures and policies that safeguard information and educate employees on cyber awareness. It's time to show the world that U.S. assets are not available for sale on the dark web.

 

Solutions

Ensuring the integrity of customer data is an ongoing challenge with a plethora of solutions touted as the panacea, but certainly some fundamental technologies and policies offer a clear roadmap, if not a finite resolution.

John Suit, cybersecurity expert and CTO, Trivalent: Deep Root exposed 25 terabytes of information, including names, dates of birth, addresses, phone numbers and voter registration details of a reported 198M voters, via an unsecured Amazon Cloud account that could be accessed without a login. This is yet another example of data protection continuing to come up short in our digital world – whether that be due to risk posed by employees, vendors, contractors and partners, or next generation threats like ransomware.

With 732 data breaches occurring in the U.S. in the last six months, companies need to prepare for not “if” but “when” an attack will impact their organization. The only way industries will be able to get ahead of ever-increasing data breaches is by seeking next-generation data protection solutions that protect data through a process of shredding and recombining data for only authorized users – especially in the event of a breach. If such protection had been in place in this case, the 198M voters who were potentially impacted could rest easy knowing that their information could never be accessed by malicious actors. 

"This exposure...is due to the lack of a defense-in-depth strategy for a third party."

– Paul Fletcher, cybersecurity evangelist at Alert Logic

Paul Fletcher, cybersecurity evangelist, Alert Logic: This exposure of 198 million registered American voter's personal identifiable information (PII) is due to the lack of a defense-in-depth strategy for a third party. It's another example of why companies need to perform ongoing due diligence of the security strategies of vendors and partners. An organization is only as secure as its weakest link, and third-party vendors have been notorious for being the weak point to data leakage and exfiltration.

The fact that this exposure was discovered on a public cloud site is irrelevant. In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could've been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organization (and in this case), the organization's customer – the GOP. Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.

In this case, the following security best practices would've help prevented this type of exposure:

Identify and access management – As part of the access control list mention above, maintaining who has access to what data and when is critical to operational security.

Encryption – Organizations should encrypt as much as possible, whenever it's possible. According to the statement released by Deep Root Analytics, they stated that they “last evaluated and updated our security settings on June 1, 2017.” It's plausible that a mistake was made during this update of their security settings, this can happen in any organization, so implementing encryption would have provided a “fail safe” in case the data was accessed by an unauthorised party.

Log monitoring and management – Deep Root Analytic's statement also says “we don't believe that our systems have been hacked.” Proper security logging and monitoring would provide much more certainty regarding all the access attempts (authorized or unauthorized) of this data. Organizations that execute a robust log monitoring and management strategy will have better overall situational awareness for their data and system activity.

The potential for this type of data being made available publicly and on the dark web is extremely high. The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customised social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link.

Paul Calatayud, chief technology officer, FireMon: Data breaches are often associated with the idea that hackers have attacked and stolen information, but human error frequently attributes to the same amount of records lost each year.

Specifically when it comes to exposed databases, often they are accidentally exposed due to a combination of weak or no passwords protecting the systems as well as poor firewall management. By assessing your firewall configuration in realtime continuous manners, mistakes related to password or ports open by mistake exposing the database can be prevented.

The best mitigation is network security policy management solutions that can quickly audit firewalls and alert when risky ports such as database ports are accessible to the internet preventing such mistakes and data loss from occurring.

Robert Capps, authentication strategist and vice president, NuData Security: This is a serious data leak which allows nation-states to target ordinary U.S. citizens for additional attacks and surveillance, as well as detailed boting information. If this wasn't bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals. Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit and much more. The members of the electorate involved in this incident should immediately request a credit freeze with major credit bureaus, and keep close track of account activity through commercial credit monitor services or monitor of their own accounts.

Hervé Dhelin, SVP, EfficientIP: What Amazon has done – update the access settings and put protocols in place to prevent further access – is a good start but it is not enough. Even if the access is being restricted to a few people, if their computers are affected by the malware, data can still be exfiltrated, via DNS for example, and most of the security solutions will certainly be blind.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.