Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:30 PM
Connect Directly

Some SuperPAC Websites Are Not Super-Secure

Researchers find weaknesses in public websites that could expose personal information of donors and other sensitive data.

New research found gaping security holes in several SuperPAC public websites – from weak or nonexistent encryption and open ports to old and outdated server platforms.

Security firm UpGuard assessed the security postures of top SuperPACs active in the 2016 US election, and rated them with a FICO-like score between 0 and 950, with 950 as the most secure. UpGuard found scores as low as 266 for the Conservative Solutions PAC, and 409 for Priorities USA Action, to scores as high as 836 for both Rebuilding America Now and NextGen Climate Action.

And 501(c) group websites, which also are not required to disclose donor names publicly, scored on the high-end security-wise. The National Rifle Association's 501(c) had the highest score among those groups, with 836, followed by the US Chamber of Commerce, 751; American Future Fund, 751; and Americans for Prosperity, 751.

Overall, SuperPACs scored similarly to other sectors. "They were average, not stellar, and not lower than what we see for websites in other groups," says Greg Pollock, vice president of product for UpGuard. "The interesting point will be what if these sites were breached. What would happen? There could be more identity and reputational damage."

These groups typically don't store payment card information, he notes, but SuperPACs can keep personal information of donors, for example. "The whole purpose of these organizations is to shroud who's giving money," so a breach could expose donors' identities, he notes.

SuperPACs are controversial political groups that can raise and spend unlimited funds and then use that money to independently campaign for or against a political candidate or party.

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 


Pollock says his firm used its CSTAR risk assessment method when it analyzed the SuperPAC websites. The main security weaknesses were in lack of encryption - aka no HTTPS – no email authentication to avoid phishing scams, and no DNSSEC adoption. One of the weakest sites had a wide-open MySQL port. "It had its SSH port exposed," he says.

On the plus side, the NextGen Climate Action SuperPAC site, for example, was running NGNIX, one of the more modern web platforms. "Some [others] were exposing their PHP version [software], with several headers showing," he says.

Overall, SuperPAC sites have better security postures than healthcare websites UpGuard has assessed. And so far, no major incidents: "We have no indicators" that any of the SuperPAC sites have been breached, he says.

Efforts to reach the lowest-scoring SuperPACs, Conservative Solutions PAC and Priorities USA Action, were unsuccessful as of this posting.

The other SuperPACs UpGuard scored by risk: Get Our Jobs Back, 399; For Our Future, 475; Congressional Leadership Fund, 513; Right to Rise USA, 523; Senate Leadership Fund, 561; Senate Majority, 561; and House Majority PAC, 561.

Related Content:


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/7/2016 | 8:07:41 PM
No Surprise
I could have guessed that the NRA would have a high security score
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...