News reports are surfacing about a huge voter records leak in the US. According to reports, personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an insecure Amazon server. IT security experts commented below.
Brad Keller, Sr. Director, 3rd Party Strategy at Prevalent, Inc.:
“How Safe is your Data?
The information disclosed by third party vendor Deep Root Analytics (https://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612) seems at first glance to not be especially noteworthy – voter names, addresses, birthdates, and other “phone book” types of data. However, close consideration reveals that this information, previously valued in at tens of millions of dollars to its owners, is now essentially worthless to the companies who provided it to Deep Root. In addition, this type of information serves as an important component in identity theft and other criminal activity.
The Gizmodo article illustrates just how the “Spider Web Effect” can cause a single event to negatively impact dozens of companies, and potentially hundreds of millions of individuals. Every company who provided data to Deep Root Analytics has permanently lost the value of that data. The true impact on individuals is less clear as the extent of “market information” on individuals is unknown. For the Republican National Committee (RNC) their election strategy – what information is important to them and how they use it — has been revealed.
While this was voter information, it could have just as easily been a company’s go to market strategy for a new product, proprietary intellectual property, or a marketing campaign tied to an unannounced merger or acquisition. The point is that even information that may seem benign at first glance, can be extremely valuable and create direct economic loss, if not properly protected.”
Itsik Mantin, Director of Security Research at Imperva:
“From the public information available, it seems that the voter database was found in a place where anyone from any point in the virtual world can access it.
It is not the first time that a security researcher scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data. What’s unique in this event is the quantity and the sensitivity of the data that was kept negligently.
The Artificial Intelligence era we’re living in, with AI solutions flourishing in almost every domain, is also the data era, as data is the material from which AI is made. In the data era, you collect what you can, store what you can, either for using it today for a specific purpose, or for using at some point in the future for a yet-to-be-known purpose, using a yet-to-be-developed algorithm.
In this era, organisations find the task of controlling business critical data harder than ever, tracking the number of places where it is stored and cloned, as well as control of who accesses the data – when, why and for what purpose, legitimate or not. And even the organisation that builds the perfect data security solution, monitoring, analysing and assessing every data access, loses control when disclosing sensitive data to partners or customers, or even when one of its users decides to leak this data for ideological, financial or any other reasons.”
Terry Ray, Chief Product Strategist at Imperva:
“This was less a leak, but was rather an identified exposed server. From the information provided, the data is not known to have been stolen necessarily. It sounds to me that this is another case of incorrectly secured cloud based systems. Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.
With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there’s also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.
Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds. The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.
There’s also the challenge presented by the lack of security knowledge and understanding in the people working most closely with the data: data scientists and developers. Data scientists, with their skills and experience working with structured and unstructured data to deliver new insights, don’t necessarily think about the security of the data. It’s not surprising given that new technologies have encouraged data scientists to view big data as a giant sandbox where they are the owners and can decide how the data will be used. While most development projects rely on access to non-sensitive, test data instead of live, production data, big data application development by its nature often falls outside of the more secure processes set up within IT. And with higher-access privileges than many others in the organisation, developers also present a greater security risk either through accidental means or malicious intent.
The number and breadth of data breaches continues to grow, therefore it is crucial that everyone understands and prioritizes implementing better security for big data.”
Robert Capps, VP of Business Development at NuData Security:
“This is a serious data leak, which allows nation states to target ordinary US citizens for additional attacks and surveillance, as well as detailed voting information. If this wasn’t bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals. Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit, and much more. The members of the electorate involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts.”
Michael Patterson, CEO at Plixer:
“In the age of big data analysis, our personally identifiable information (PII) is being collected and stored by nearly every organization with which we interact. The manufacturers of software require acknowledgments of their end user license agreements (EULAs), which nearly everybody agrees to without reading. EULAs grant permission for these companies to gather and store data about you. Deep Roots Analytics has gathered a significant amount of PII, and placed that data online without properly protecting it. The theft of PII is rampant. Every time a third party irresponsibly posts data or they are breached, people’s lives are impacted. Bad actors are able to correlate stolen data from multiple sources to piece together the information they need to make monetary gains. Any data that is connected to the internet is vulnerable. It is the responsibility of any organization gathering and storing PII to take best practice approaches to monitoring the integrity of that data and providing timely notification if that data is compromised.”
John Suit, Cybersecurity Expert and CTO at Trivalent:
“Deep Root exposed 25 terabytes of information, including names, dates of birth, addresses, phone numbers and voter registration details of a reported 198M voters, via an unsecured Amazon Cloud account that could be accessed without a login. This is yet another example of data protection continuing to come up short in our digital world—whether that be due to risk posed by employees, vendors, contractors and partners, or next generation threats like ransomware.
With 732 data breaches occurring in the U.S. in the last six months, companies need to prepare for not “if” but “when” an attack will impact their organization. The only way industries will be able to get ahead of ever-increasing data breaches is by seeking next generation data protection solutions that protect data through a process of shredding and recombining data for only authorized users—especially in the event of a breach. If such protection had been in place in this case, the 198M voters who were potentially impacted could rest easy knowing that their information could never be accessed by malicious actors.”
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
“This exposure of 198 million registered american voter’s personal identifiable information (PII) is due to the lack of a defence in depth strategy for a 3rd party. It’s another example of why companies need to perform on-going due diligence of the security strategies of vendors and partners. An organisation is only as secure as it’s weakest link, and 3rd party vendors have been notorious for being the weak point to data leakage and exfiltration.
The fact that this exposure was discovered on a public cloud site is irrelevant. In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organisation (and in this case), the organisation’s customer – the GOP. Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.
In this case, the following security best practices would’ve help prevented this type of exposure:
–Identify and Access Management – as part of the access control list mention above, maintaining who has access to what data and when is critical to operational security.
–Encryption – organisations should encrypt as much as possible, whenever it’s possible. According to the statement released by Deep Root Analytics, they stated that they “last evaluated and updated our security settings on June 1, 2017.” It’s plausible that a mistake was made during this update of their security settings, this can happen in any organization, so implementing encryption would have provided a “fail safe” in case the data was accessed by an unauthorised party.
–Log Monitoring and Management – Deep Root Analytic’s statement also says “we don’t believe that our systems have been hacked.” Proper security logging and monitoring would provide much more certainty regarding all the access attempts (authorised or unauthorised) of this data. Organisations that execute a robust log monitoring and management strategy will have better overall situational awareness for their data and system activity.
The potential for this type of data being made available publicly and on the dark web is extremely high. The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customised social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link.”
Richard Anstey, CTO EMEA at Synchronoss:
“This latest breach suggests that there are still many lessons to be learned when it comes to handling personally identifiable information, or PII.
Although security experts have been warning for years of the importance of encrypting such data, it’s clear from cases such as this that it simply isn’t happening.
Strong encryption technologies such as rights management are fundamental to benefiting from the huge efficiencies created by the cloud without compromising privacy.
And it’s worth considering that, should the GDPR have been in force, the probability of EU citizens’ data being involved would have resulted in significant financial penalties for the organisation concerned.
Indeed, the size of penalties under GDPR are specifically designed to focus the attention of organisations with regard to how they handle large quantities of PPI, ensuring they take the utmost care and that responsibility for storage and distribution is embedded in organizational policies from the top down, and not left in the hands of individuals who can make simple mistakes.
Companies spend millions defending their data against attacks from malicious outsiders, but the very significant risk posed by clumsy or unthinking employees is too often ignored.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“Data is currently one of the world’s most valuable commodities and yet every day a data breach, leak or hack is reported. This latest leak is particularly alarming – due to both the vast quantity of information left unguarded and the nature of that data. As companies collect more and more data, they may be unconsciously shooting themselves in the foot in their efforts to be completely secure. Organisations often have too many tools operating in silo at once – and failing to communicate with each other. It is now not unusual for businesses to have over 10 security tools which require constant monitoring, meaning that human error becomes a key factor in the security of our data. Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they are always one step ahead.”
Peter Carlisle, VP of EMEA at Thales e-Security:
“A breach of this scale that encroaches on impacts the lives of millions of citizens in the world’s largest economy is a reminder of the importance of the need to implement the appropriate robust cyber security measures to protect individuals’ personal data as well as data possessed by corporations and governments around the world.
Organisations need to understand just how important implementing encryption is – especially when storing data in the public cloud. Anyone could have accessed citizens’ sensitive data as long as they had a link to it. The impact of this data breach could have been minimised if encryption was used to protect the data in the cloud, and the Republican Party were in control of the keys. With encryption, the information can be rendered useless to a hacker with malicious intent, even against the risks of human error.”
Matt Moynahan, CEO at Forcepoint:
“The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality – more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees. Regardless of whether organizations are securing data using on-premises or cloud-based technology, like in the case of Deep Root Analytics, organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property. They should look at people and protect against those behaviors that could result in the loss of valuable data or IP. Governments and corporations would make sustainable progress against these sorts of breaches only with a blend of human-centric security technologies, policies, cultural changes and intelligent systems that can observe cyber behavior and decipher intent.
Enabling CISOs and CIOs to understand what the company-wide baseline for ‘normal’ behavior looks like could help to identify abnormal or risky behavior. That’s the only efficient way to proactively protect users, critical data and, most importantly, at the point at which they intersect – at the human point. Unless the security industry embraces this human-centric security approach, we’ll continue to spend more than 100 billions of dollars a year on protecting infrastructure when we should be focusing on understanding people’s behavior.”
Tim Erlin, VP at Tripwire:
“The average citizen likely doesn’t appreciate the level at which this kind of data drives the political process. This is a treasure trove of personal information that was sitting unprotected on the Internet.”
“The headline may be the discovery that this data was accessible, but the real concern is who accessed it previously without reporting the misconfiguration.”
“When data is simply left accessible, without basic, foundational security controls, there’s no hacking required to gain access.”
“The cloud may solve many problems, but it doesn’t magically secure your applications or data. Organizations need to ensure they’re implementing the same basic controls, regardless of where the systems reside.”
“Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.”
Paul Calatayud, CTO at FireMon:
“Data breaches are often associated with the idea that hackers have attacked and stolen information but human error frequently attributes to the same amount of records lost each year. Specifically, when it comes to exposed databases, often they are accidentally exposed due to a combination of weak or no passwords protecting the systems as well as poor firewall management. By assessing your firewall configuration in a real-time continuous manner, mistakes related to passwords or ports left open to expose the database can be prevented. The best mitigation is network security policy management solutions that can quickly audit firewalls and alert when risky ports such as database ports are accessible to the internet and prevent such mistakes and data loss from occurring.”
Elmar Eperiesi-Beck, CEO at eperi:
“In cases such as these, no one can prevent the data from getting stolen, but if the data was encrypted before it went to the cloud – then it would have been unreadable to the outside world.
“When it comes to using cloud services, administrators and even security specialists have to rethink their positioning and move away from putting all the effort into securing the IT systems to securing the data itself. After all, regulations such as GDPR in Europe demand that the data is protected and will force companies to comply with strict data protection requirements. Narrowing the focus to the data itself is good practice and there are solutions out there that make it easy and convenient for the cloud by providing secure encryption and preserving the full application functionality. The US may need to step up its Data Privacy Policy or it will soon find it is even more of a target.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.