Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server
from the you'd-think-we'd-learn-something dept
Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You’ll recall that it’s a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon’s marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it’s a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).
This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security?s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.
When Diachenko contacted the firm, he was told that they were a “small shop” and that “keeping track of everything can be tough.” In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:
“In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from “an old bucket from 2013-2016 that hasn’t been used in the past two years.” He confirmed that the company is investigating the scope of the data that was accessible. “All exposed data was publically available information,” he said, adding that he will contact affected customers “if required by law.”
The problem: what’s deemed “publicly available” varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you’re a registered voter in the state. And while the data may have been stale, it still wasn’t adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.
This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It’s a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.
Filed Under: bob dianchenko, data breach, security, travis trawick, voter data, voting
Companies: kromtech security, robocent
Comments on “Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server”
Uriel's Conclusion (based on many observations)
It’s a great era for hackers.
Is there anyone
in the US whose personal data has not been revealed / stolen? Maybe even multiple times?
Re: Is there anyone
Everyone should assume their info has been exposed and behave accordingly.
Re: Re: Is there anyone
Definitely. After Equifax, believing anything else is simply foolhardy.
Re: Is there anyone
At this point my goal in life is to be unmonetizable.
Re: Re: Is there anyone
You strive to be worthless?
You could just go into politics.
Re: Re: Re: Is there anyone
Or Law enforcement.
Re: Re: Re:2 Is there anyone
Only worthless to the advertisers.
Re: Re: Is there anyone
Just run add blockers, that way the advertisers waste money to figure out which adds you will not see.
This might explain why I am suddenly getting all these scam charity calls all of the sudden. Then there is the “save 30% on your electric bills 30% from random cell numbers
“he was told that they were a “small shop” and that “keeping track of everything can be tough.””
If there were actual penalties to be paid for fscking around on security, I betcha they could keep track of things.
Until the cost to the company is greater than the downside they will keep doing things in a shitty fashion. The only people making bank on this are the credit monitoring services (who leak only slightly less than those who buy their service in bulk to stop lawsuits).
Pretty sure it wouldn’t take huge numbers to cause change.
Say $1000…. $500 to the Government & $500 to the person who had their data leaked (because no settlement is ever enough so why the fsck not).
It was the Ruskies.
Where is Amazon?
Not to minimize the incompetence of these shops, but it seems many of these breaches are of Amazon S3/AWS. I admit I know nothing about how Amazon sets up their cloud offering, but could Amazon help by making their offering more secure by default?
Re: Where is Amazon?
I don’t know squat about Amazon AWS, but I’m also not going to point at the provider of the building blocks for the idiocy of the people who used them to build something.
Wouldn’t be at all surprised if Amazon does provide some very easily implemented basic-level security options/services that this particular company never took advantage of.
Don’t push blame down the stack.
Re: Re: Where is Amazon?
Perhaps blame should be pushed down the stack, this issue is a serious one, and everyone involved should be looked at. He stated that Amazon was a easy target due to lack thereof of security, it can only help everyone involved to increase said security.
Don’t pretend that no big fishes are to blame in this mess, ignorance ain’t no bliss, wake up.
Re: Re: Re: Where is Amazon?
This is like: You get robbed because you do not lock your door, then blame the door or lock manufacturer because the door/lock wasn’t designed to lock automatically.
It’s almost like some sort of general data protection regulations are needed…
Where is Amazon?
don’t push blame.