Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

RNC Voter Data on 198 Million Americans Exposed in the Cloud

One of the largest known US voter data leaks compromised personal information via an unsecured public-storage cloud account set up on behalf of the Republican National Committee.

Millions of voter records containing personal information and "modeled" voter information like religion and race were leaked from an unsecured public storage cloud account owned by Deep Root Analytics, according to an announcement today by UpGuard, which discovered the leak.

The leaked voter information included voter birth dates, home and mailing addresses, phone numbers, party affiliation, self-reported racial information, and "modeled" voter profile, all of which could be accessed without a password, according to UpGuard. This information was held in an Amazon Web Services S3 bucket storage account owned by Deep Root Analytics, which performed work on behalf of the Republican National Committee.

The leak occurred because Deep Root had set the S3 storage bucket files to public permissions, rather than private, says Chris Vickery, an UpGuard cyber risk analyst, who made voter data leak discovery.

Not only were the voter data files publically viewable, but most had permissions to also allow the records to be downloaded, Vickery says.

"Ultimately, what they did wrong was not having some sort of monitoring going on for their externally facing systems," Vickery says. If Deep Root had put a monitoring system in place, it would have seen the files were improperly set to public. 

Deep Root Analytics acknowledged the voter data leak and took "full responsibility for this situation," according to a report in The Hill.

Although Deep Root Analytics in The Hill report said the voter data had been exposed since June 1, Vickery says he would not be surprised if the data had been unsecured and public even prior to that time.

Vickery ran across the Deep Root data on June 12, when he discovered an open cloud repository in an Amazon Web Services S3 bucket. Vickery, at the time of the discovery, was searching for misconfigured data sources for UpGuard. It turned out that anyone pursuing the Internet and traveling to Amazon's sub-domain "dra-dw" would have come across Deep Root's data warehouse, according to UpGuard.

Upon this discovery, Vickery said he realized Deep Root may have violated state laws and decided to contact federal authorities before reaching out to the company. Later that same day, the voter data became no longer accessible, Vickery says. He's not sure if Deep Root fixed it on its own accord, or whether it was fixed because federal authorities contacted the company.

Leaks With Amazon Web Services S3

The situation with Deep Root is not the first time a company has left its data exposed to the public. Government contractor Booz Allen Hamilton recently left 60,000 documents of sensitive US data exposed on AWS S3, which Vickery also discovered.

He says it's very common to find S3 files that are incorrectly marked to a public setting. Amazon has a shared risk model, which requires its clients to take responsibility for the permission settings they put on their files, Vickery notes.

"The take-away for CISOs is they need to take a hard look at what data you want in the cloud," Vickery advises. He notes that highly sensitive data may be better housed in a non-cloud environment.

And if a company does opt to use a third-party vendor to store sensitive data, Vickery says, "You have to be real careful and look at the reputation of the company you are dealing with. But sometimes it's hard to know, so you need to trust but verify if you have the spare bandwidth."

Paul Fletcher, a security evangelist with Alert Logic, shares a similar sentiment.

"The fact that this exposure was discovered on a public cloud site is irrelevant, in fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided," Fletcher said in a statement.

Amazon S3 comes with an access control list (ACL) that requires its default settings be changed to the appropriate permissions, as well as its settings maintained and audited by the organization using S3. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.