A Virginia-based political campaign and robocalling company Robocent left hundreds of thousands of voter records on a public, exposed and unprotected Amazon S3 bucket. This year has already seen a lineup of attempted attacks on local elections and campaigns, but this news comes less than a week after the indictment of 12 Russian officials for meddling in the 2016 US presidential election.
According to an 18 July blog post by Bob Diachenko, head of communications at Kromtech Security, Robocent’s self-titled bucket was reportedly "indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found. Repository contained both audio files, with pre-recorded political messages for robocalls dials (*.mp3, *.wav), and voter data (*.csv, *.xls files)."
Voter names, phone numbers, addresses, age, gender, jurisdiction breakdown and political affiliation were some of the information included in the data, which Robocent co-founder told ZDNet was publicly available information that the company was only "keeping track of."
“Voter data is extremely sensitive and leaks like this highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information. It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time,” said Sam Bisbee, CSO, Threat Stack.
“Many companies have critical AWS cloud security misconfigurations. It’s an easy mistake to make. AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility. Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”
The security of the 2018 midterm elections is a growing concern, which makes the lack of proper cybersecurity hygiene through virtually all job roles within the election ecosystem, private and public, problematic for security, said Ben Johnson, CTO and co-founder, Obsidian Security.
“Given this abysmal state of election security, one has to assume that any voter data that hasn’t already leaked soon will,” Johnson said. “Companies, campaigns and individuals are all racing to collect and utilize data without doing nearly enough to properly safeguard it. When you combine poor practices with lucrative data and motivated, sophisticated attackers, this picture will get worse before it gets better.”