Kromtech Security Center researchers discovered an unsecured U.S. voter database was exposed to the public internet due to a misconfiguration of CouchDB instance.
The database contained information on 593,328 Alaskan voters and appeared to be part of VoterBase, a national voter file compiled and provided by TargetSmart, a provider of political data and technology, according to a Sept. blog post.
The breach was attributed to Minnesota AI software firm Equals3's failure to secure some of their data and some data they license from TargetSmart. The AI company claims that misconfigured information has since been secured and said although the data was left exposed, it wasn't accessed by unauthorized personnel.
“When the database was configured, administrators bypassed important security settings that were set to “public” instead of “private”, allowing anyone with an internet connection to gain access the repository,” the post said. “Those who follow cybersecurity news may remember that in early 2017 an estimated 10% of CouchDB servers were victims of ransomware because of the same misconfiguration.”
This isn't the first time sensitive information has been left exposed due to careless misconfigurations, researchers said.
"We are seeing a lot of these kinds of incidents at the moment, whereby least privileges are not enforced; or worse, no user credentials are used at all," Alert Logic EMEA Director Oliver Pinson-Roxburgh told SC Media. "Organisations need to understand where their sensitive data lies, how it is protected as well continually monitoring for change or this will continue to happen."
Experts agreed that its a growing problem companies should address.
As more and more companies migrate datasets to the cloud, it is becoming apparent that many lack the cloud skills needed to secure the cloud infrastructure, gain assurance that the cloud infrastructure is secured appropriately, or monitor their cloud environments for unauthorised access," AlienVault Security Advocate Javvad Malik told SC Media. "While cloud can bring benefits of having a resilient infrastructure, security cannot be outsourced, and much of the responsibility remains with the customer."