RNC leak of voter database exposes poor cloud security practices

There has been a rash of bad cybersecurity practices uncovered in the U.S. government over the past couple of years, but the most recent is an RNC leak of voter database information that experts say could have been avoided.

A researcher from the UpGuard Cyber Risk team found a Republican National Committee (RNC) leak of voter database information that was left exposed and unsecured by Republican data firm Deep Root Analytics on an Amazon Web Services (AWS) server for anyone to uncover.

UpGuard cyber risk analyst Chris Vickery, found 198 million voter database records unsecured on an AWS server connected to the RNC. And, Vickery said it was “not very difficult” to find the data.

“The specter of misconfigured cloud-based storage servers spilling data onto the open internet continues to be an all-too common phenomenon, as evidenced by UpGuard’s discovery of an RNC data firm’s publicly accessible database exposing the personal details of 198 million potential voters,” the UpGuard team told SearchSecurity. “While the scale may be unprecedented, the core issues driving the exposure are pervasive across the internet. There was a six letter character subdomain between 198 million people and exposure. This database was publicly exposed for an unknown period of time and if anyone entered that six letter subdomain, they could have accessed it.”

Making matters worse, the voter database information in the RNC leak was “very detailed” according to UpGuard, including data on potential voters for Obama and Romney in 2012, potential voters for Trump and Clinton in 2016, as well as individuals who may vote regarding issues such as the environment or education in science, technology, engineering and math. The database also included data on people who vote on specific issues such as ObamaCare, fossil fuel usage, infrastructure investment and whether or not to stop illegal immigration, or whether the voter felt positively or negatively towards the financial situation of the U.S.

According to Adam Conway, vice president of product management at Bracket Computing, a cloud computing security company based in Mountain View, Calif., this RNC leak is likely “indicative of how easy it is to make mistakes configuring cloud storage resources — mistakes that can put critical sensitive assets at risk.”

The discovery comes less than a month after Vickery uncovered a similarly unsecured AWS file repository that appeared to be registered by Booz Allen Hamilton (BAH), the government services company headquartered in McLean, Va.

“[The] Public cloud is self-service, and anyone with admin account access can change the privacy settings on a server like the ones in the [BAH] and Deep Root examples. Developers or contractors might set servers to public accidentally, to make it easier to configure applications accessing the data, or maliciously,” Conway told SearchSecurity. “All organizations — government agencies and enterprises alike — are vulnerable to this scenario because it’s so hard to prevent in a self-service world.”

Itsik Mantin, director of security research at Imperva, said that when dealing with the cloud, “controlling sensitive data in the modern era of data flooding is a challenge to most of the industries.”

“In order to test whether a bucket is public, the only thing you need to know is the bucket name,” Mantin told SearchSecurity. “A malicious actor that is interested in a specific organization can try various guesses for names related to the target, and if the bucket is misconfigured, as [it] was in this case, the right guess will lead to data exposure.”

Michael Patterson, CEO of Plixer, the network traffic analysis company based in Kennebunk, Maine, told SearchSecurity that “any organization that harbors confidential information on systems that are connected to the internet are at risk.”

“Most governments are a target and should assume that they are already infected with malware which intends to heist their data. Bad data protection practices are certainly part of the problem,” Patterson said. “Having good monitoring systems in place that provide network traffic intelligence is another issue. When compromises occur — and they will — how will the organization investigate what happened?”

Ben Johnson, CTO at Obsidian Security, a cybersecurity startup based in Newport Beach, Calif., said “unprotected databases are either found through active engagement — essentially hunting and poking around — or through automated means.”

“On the automated front, sometimes it is as easy as figuring out the proper Google query to find exposed data, whereas other times attackers write automated systems to scour the Internet (or the cloud providers) for certain accessible elements which then lead to the treasure trove of data,” Johnson told SearchSecurity. “Once these exposures are made public, more actors jump into the mix to try to exploit and monetize the data.” 

Likely widespread RNC leak issues

Given the poor security efforts demonstrated in this RNC leak of voter database information, experts said it was likely there was a more widespread issue.

“If you see one problem, you likely have a widespread problem. Even government agencies that have very strong data protection practices are likely to be working with third-party contractors that do not. BAH and Deep Root are most definitely not the only agencies/contractors that have left data unprotected in the public cloud,” Rich Campagna, SVP of products and marketing at Bitglass, the cloud and mobile security company headquartered in  told SearchSecurity. “To find these unsecured data stores, you need to look for them. But anyone that knows how to execute a simple scan can access this data directly, without cracking passwords, encryption, etc.”

Patterson said that “any data that is connected to the internet is vulnerable.”

“The theft of personally identifiable information (PII) is rampant.  Every time a third party irresponsibly posts data or they are breached, people’s lives are impacted. Bad actors are able to correlate stolen data from multiple sources to piece together the information they need to make monetary gains.  Any data that is connected to the internet is vulnerable,” Patterson said. “It is the responsibility of any organization gathering and storing PII to take best practice approaches to monitoring the integrity of that data and providing timely notification if that data is compromised.”

Ken Spinner, vice president of field engineering at Varonis, the security software company based in New York, said that in the case of the RNC voter data, “it appears that the exposed sensitive information goes beyond personal data (names, addresses, phone numbers) and includes analysis on potentially controversial topics and political issues — all of it sitting on a publicly accessible Amazon server.”  

“Exposing this type of data, and this much of it is a huge red flag, not only can critical data and research be compromised, but personal data can be leveraged to breach more secure systems,” Spinner told SearchSecurity. “Organizations — including contractors — need to make sure their data has basic controls in place. Data can’t be open to everyone, users shouldn’t be able to access what they’re not supposed to, and all access should be monitored and recorded. You can’t catch what you can’t see, and too many organizations are flying blind.”

RNC leak in regards to cloud security

According to John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said, “if the data is sensitive to disclosure, real thought needs to be given on whether to put this sensitive data into cloud services in the first place.” 

“If an organization opts to do that, then they need to ensure effective security controls are in place to control access. That means at a minimum access keys (or username/password), but likely encryption should be examined too,” Bambenek told SearchSecurity. “Access keys can be stolen and once they are, very rarely are those keys changed.”

Tim Prendergast, CEO of Evident.io, a cloud security company based in Pleasanton, Calif., said the RNC leak might be due to the RNC team having “the right intentions, but ‘intent to secure’ isn’t enough.”

“Government organizations and those working with the government have the highest responsibility to enforce continuous security and compliance monitoring as they have an obligation to protect their citizen’s data,” Prendergast told SearchSecurity. “Hackers are always looking for the path of least resistance, so when there’s an easy way to access data, once discovered it will be exploited immediately. It’s also important to note that when data is this available, it’s vulnerable even to non-malicious intent. An unauthorized, but well-meaning actor could inadvertently delete, change, or even duplicate files and share outside of the intended group of users.”

Avoiding cloud data leaks

Imperva’s Mantin said, “enterprises should take control of their business critical data, regardless of whether it is stored within the organization perimeter in endpoints, databases and file shares, or via cloud services.”

“This includes monitoring and auditing data access, and using analytics tools to identify attacks and anomalous behavior,” Mantin said. “For example, retrieving a large amount of sensitive data that raises an alert to a security officer can lead not only to examining whether it was done for legitimate reasons, but also reviewing the practices taken by the user to keep this data safe.”

Mike Shultz, CEO of Cybernance, a cybersecurity company based in Bee Cave, Texas, said the first step in preventing an exposure like that of the RNC leak is to “understand your organization’s current cybersecurity posture.”

“Requiring the same level of cybersecurity maturity of your third party partners as you do of yourself is vital for protecting the information your organization works so hard to secure.” Shultz told SearchSecurity. “Regular employee training programs for all departments, including full and part-time staff, must be upheld, as 80% of breaches are due to failures of people on the inside, not failures of technology. Accountability is the last piece of this puzzle, which should fall on leadership’s shoulders. If executives do not implement and mandate enterprise-wide awareness and training, liability falls to them in the event of an inevitable breach.”

Prendergast said creating a “culture of security within an enterprise is a first step.”

“Things like multi-factor authentication and demanding complex passwords are a good start,” Prendergast said. “Beyond that, IT and DevOps teams should be constantly monitoring and auditing the different parts of their internal operations to determine where vulnerabilities tend to happen, and employ strict and fast remediation policies to fix issues and ensure they don’t happen in the future.”

Scott Petry, CEO of Authentic8, the Mountain View, Calif., cloud browser company, said “organizations need to treat all data as sensitive and protect it.” 

“A loss of data can present existential risk to an organization, and their information security perspective needs to change,” Petry told SearchSecurity. “When firms outsource work to contractors, they need to be as vigilant if not more so than with the work product of an employee. A number of high profile breaches over the last year point back to contractors or consultants.”