Vulnerabilities / Threats

03:30 PM
Connect Directly

Some SuperPAC Websites Are Not Super-Secure

Researchers find weaknesses in public websites that could expose personal information of donors and other sensitive data.

New research found gaping security holes in several SuperPAC public websites – from weak or nonexistent encryption and open ports to old and outdated server platforms.

Security firm UpGuard assessed the security postures of top SuperPACs active in the 2016 US election, and rated them with a FICO-like score between 0 and 950, with 950 as the most secure. UpGuard found scores as low as 266 for the Conservative Solutions PAC, and 409 for Priorities USA Action, to scores as high as 836 for both Rebuilding America Now and NextGen Climate Action.

And 501(c) group websites, which also are not required to disclose donor names publicly, scored on the high-end security-wise. The National Rifle Association's 501(c) had the highest score among those groups, with 836, followed by the US Chamber of Commerce, 751; American Future Fund, 751; and Americans for Prosperity, 751.

Overall, SuperPACs scored similarly to other sectors. "They were average, not stellar, and not lower than what we see for websites in other groups," says Greg Pollock, vice president of product for UpGuard. "The interesting point will be what if these sites were breached. What would happen? There could be more identity and reputational damage."

These groups typically don't store payment card information, he notes, but SuperPACs can keep personal information of donors, for example. "The whole purpose of these organizations is to shroud who's giving money," so a breach could expose donors' identities, he notes.

SuperPACs are controversial political groups that can raise and spend unlimited funds and then use that money to independently campaign for or against a political candidate or party.

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 


Pollock says his firm used its CSTAR risk assessment method when it analyzed the SuperPAC websites. The main security weaknesses were in lack of encryption - aka no HTTPS – no email authentication to avoid phishing scams, and no DNSSEC adoption. One of the weakest sites had a wide-open MySQL port. "It had its SSH port exposed," he says.

On the plus side, the NextGen Climate Action SuperPAC site, for example, was running NGNIX, one of the more modern web platforms. "Some [others] were exposing their PHP version [software], with several headers showing," he says.

Overall, SuperPAC sites have better security postures than healthcare websites UpGuard has assessed. And so far, no major incidents: "We have no indicators" that any of the SuperPAC sites have been breached, he says.

Efforts to reach the lowest-scoring SuperPACs, Conservative Solutions PAC and Priorities USA Action, were unsuccessful as of this posting.

The other SuperPACs UpGuard scored by risk: Get Our Jobs Back, 399; For Our Future, 475; Congressional Leadership Fund, 513; Right to Rise USA, 523; Senate Leadership Fund, 561; Senate Majority, 561; and House Majority PAC, 561.

Related Content:


Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/7/2016 | 8:07:41 PM
No Surprise
I could have guessed that the NRA would have a high security score
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...