198 Million U.S. Citizens’ Personal Info Exposed By Third Party Marketing Firm

APTFilter CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic VulnerabilitiesAll VulnerabilitiesHardware

News reports are surfacing about a huge voter records leak in the US. According to reports, personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an insecure Amazon server. IT security experts commented below.

Brad Keller, Sr. Director, 3rd Party Strategy at Prevalent, Inc.:

“How Safe is your Data?

The information disclosed by third party vendor Deep Root Analytics (https://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612) seems at first glance to not be especially noteworthy – voter names, addresses, birthdates, and other “phone book” types of data.   However, close consideration reveals that this information, previously valued in at tens of millions of dollars to its owners, is now essentially worthless to the companies who provided it to Deep Root.  In addition, this type of information serves as an important component in identity theft and other criminal activity.

The Gizmodo article illustrates just how the “Spider Web Effect” can cause a single event to negatively impact dozens of companies, and potentially hundreds of millions of individuals.  Every company who provided data to Deep Root Analytics has permanently lost the value of that data.  The true impact on individuals is less clear as the extent of “market information” on individuals is unknown. For the Republican National Committee (RNC) their election strategy –  what information is important to them and how they use it  — has been revealed.

While this was voter information, it could have just as easily been a company’s go to market strategy for a new product, proprietary intellectual property, or a marketing campaign tied to an unannounced merger or acquisition.  The point is that even information that may seem benign at first glance, can be extremely valuable and create direct economic loss, if not properly protected.”

Itsik Mantin, Director of Security Research at Imperva:

“From the public information available, it seems that the voter database was found in a place where anyone from any point in the virtual world can access it.

It is not the first time that a security researcher scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data. What’s unique in this event is the quantity and the sensitivity of the data that was kept negligently.

The Artificial Intelligence era we’re living in, with AI solutions flourishing in almost every domain, is also the data era, as data is the material from which AI is made. In the data era, you collect what you can, store what you can, either for using it today for a specific purpose, or for using at some point in the future for a yet-to-be-known purpose, using a yet-to-be-developed algorithm.

In this era, organisations find the task of controlling business critical data harder than ever, tracking the number of places where it is stored and cloned, as well as control of who accesses the data – when, why and for what purpose, legitimate or not. And even the organisation that builds the perfect data security solution, monitoring, analysing and assessing every data access, loses control when disclosing sensitive data to partners or customers, or even when one of its users decides to leak this data for ideological, financial or any other reasons.”

Terry Ray, Chief Product Strategist at Imperva:

“This was less a leak, but was rather an identified exposed server. From the information provided, the data is not known to have been stolen necessarily.  It sounds to me that this is another case of incorrectly secured cloud based systems. Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.

With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there’s also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.

Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds. The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.

There’s also the challenge presented by the lack of security knowledge and understanding in the people working most closely with the data: data scientists and developers. Data scientists, with their skills and experience working with structured and unstructured data to deliver new insights, don’t necessarily think about the security of the data. It’s not surprising given that new technologies have encouraged data scientists to view big data as a giant sandbox where they are the owners and can decide how the data will be used. While most development projects rely on access to non-sensitive, test data instead of live, production data, big data application development by its nature often falls outside of the more secure processes set up within IT. And with higher-access privileges than many others in the organisation, developers also present a greater security risk either through accidental means or malicious intent.

The number and breadth of data breaches continues to grow, therefore it is crucial that everyone understands and prioritizes implementing better security for big data.”

Robert Capps, VP of Business Development at NuData Security:

“This is a serious data leak, which allows nation states to target ordinary US citizens for additional attacks and surveillance, as well as detailed voting information. If this wasn’t bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals. Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit, and much more. The members of the electorate involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts.”

Michael Patterson, CEO at Plixer:

 “In the age of big data analysis, our personally identifiable information (PII) is being collected and stored by nearly every organization with which we interact. The manufacturers of software require acknowledgments of their end user license agreements (EULAs), which nearly everybody agrees to without reading. EULAs grant permission for these companies to gather and store data about you. Deep Roots Analytics has gathered a significant amount of PII, and placed that data online without properly protecting it.  The theft of PII is rampant.  Every time a third party irresponsibly posts data or they are breached, people’s lives are impacted. Bad actors are able to correlate stolen data from multiple sources to piece together the information they need to make monetary gains.  Any data that is connected to the internet is vulnerable. It is the responsibility of any organization gathering and storing PII to take best practice approaches to monitoring the integrity of that data and providing timely notification if that data is compromised.”

John Suit, Cybersecurity Expert and CTO at Trivalent:

“Deep Root exposed 25 terabytes of information, including names, dates of birth, addresses, phone numbers and voter registration details of a reported 198M voters, via an unsecured Amazon Cloud account that could be accessed without a login. This is yet another example of data protection continuing to come up short in our digital world—whether that be due to risk posed by employees, vendors, contractors and partners, or next generation threats like ransomware.

With 732 data breaches occurring in the U.S. in the last six months, companies need to prepare for not “if” but “when” an attack will impact their organization. The only way industries will be able to get ahead of ever-increasing data breaches is by seeking next generation data protection solutions that protect data through a process of shredding and recombining data for only authorized users—especially in the event of a breach. If such protection had been in place in this case, the 198M voters who were potentially impacted could rest easy knowing that their information could never be accessed by malicious actors.”

Paul Fletcher, Cybersecurity Evangelist at Alert Logic:

 “This exposure of 198 million registered american voter’s personal identifiable information (PII) is due to the lack of a defence in depth strategy for a 3rd party.  It’s another example of why companies need to perform on-going due diligence of the security strategies of vendors and partners.  An organisation is only as secure as it’s weakest link, and 3rd party vendors have been notorious for being the weak point to data leakage and exfiltration.

The fact that this exposure was discovered on a public cloud site is irrelevant. In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided.  The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organisation (and in this case), the organisation’s customer – the GOP.  Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.

In this case, the following security best practices would’ve help prevented this type of exposure:

Identify and Access Management – as part of the access control list mention above, maintaining who has access to what data and when is critical to operational security.

Encryption – organisations should encrypt as much as possible, whenever it’s possible.  According to the statement released by Deep Root Analytics, they stated that they “last evaluated and updated our security settings on June 1, 2017.”  It’s plausible that a mistake was made during this update of their security settings, this can happen in any organization, so implementing encryption would have provided a “fail safe” in case the data was accessed by an unauthorised party.

Log Monitoring and Management – Deep Root Analytic’s statement also says “we don’t believe that our systems have been hacked.”  Proper security logging and monitoring would provide much more certainty regarding all the access attempts (authorised or unauthorised) of this data.  Organisations that execute a robust log monitoring and management strategy will have better overall situational awareness for their data and system activity.

The potential for this type of data being made available publicly and on the dark web is extremely high.  The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customised social media and phishing attack scenarios.  This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link.”