News reports are surfacing about a huge voter records leak in the US. According to reports, personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an insecure Amazon server. IT security experts commented below.
Brad Keller, Sr. Director, 3rd Party Strategy at Prevalent, Inc.:
The information disclosed by third party vendor Deep Root Analytics (https://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612) seems at first glance to not be especially noteworthy – voter names, addresses, birthdates, and other “phone book” types of data. However, close consideration reveals that this information, previously valued in at tens of millions of dollars to its owners, is now essentially worthless to the companies who provided it to Deep Root. In addition, this type of information serves as an important component in identity theft and other criminal activity.
The Gizmodo article illustrates just how the “Spider Web Effect” can cause a single event to negatively impact dozens of companies, and potentially hundreds of millions of individuals. Every company who provided data to Deep Root Analytics has permanently lost the value of that data. The true impact on individuals is less clear as the extent of “market information” on individuals is unknown. For the Republican National Committee (RNC) their election strategy – what information is important to them and how they use it — has been revealed.
While this was voter information, it could have just as easily been a company’s go to market strategy for a new product, proprietary intellectual property, or a marketing campaign tied to an unannounced merger or acquisition. The point is that even information that may seem benign at first glance, can be extremely valuable and create direct economic loss, if not properly protected.”
Itsik Mantin, Director of Security Research at Imperva:
“From the public information available, it seems that the voter database was found in a place where anyone from any point in the virtual world can access it.
It is not the first time that a security researcher scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data. What’s unique in this event is the quantity and the sensitivity of the data that was kept negligently.
The Artificial Intelligence era we’re living in, with AI solutions flourishing in almost every domain, is also the data era, as data is the material from which AI is made. In the data era, you collect what you can, store what you can, either for using it today for a specific purpose, or for using at some point in the future for a yet-to-be-known purpose, using a yet-to-be-developed algorithm.
In this era, organisations find the task of controlling business critical data harder than ever, tracking the number of places where it is stored and cloned, as well as control of who accesses the data – when, why and for what purpose, legitimate or not. And even the organisation that builds the perfect data security solution, monitoring, analysing and assessing every data access, loses control when disclosing sensitive data to partners or customers, or even when one of its users decides to leak this data for ideological, financial or any other reasons.”
Terry Ray, Chief Product Strategist at Imperva:
With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there’s also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.
Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds. The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.
There’s also the challenge presented by the lack of security knowledge and understanding in the people working most closely with the data: data scientists and developers. Data scientists, with their skills and experience working with structured and unstructured data to deliver new insights, don’t necessarily think about the security of the data. It’s not surprising given that new technologies have encouraged data scientists to view big data as a giant sandbox where they are the owners and can decide how the data will be used. While most development projects rely on access to non-sensitive, test data instead of live, production data, big data application development by its nature often falls outside of the more secure processes set up within IT. And with higher-access privileges than many others in the organisation, developers also present a greater security risk either through accidental means or malicious intent.
The number and breadth of data breaches continues to grow, therefore it is crucial that everyone understands and prioritizes implementing better security for big data.”
Robert Capps, VP of Business Development at NuData Security:
Michael Patterson, CEO at Plixer:
John Suit, Cybersecurity Expert and CTO at Trivalent:
With 732 data breaches occurring in the U.S. in the last six months, companies need to prepare for not “if” but “when” an attack will impact their organization. The only way industries will be able to get ahead of ever-increasing data breaches is by seeking next generation data protection solutions that protect data through a process of shredding and recombining data for only authorized users—especially in the event of a breach. If such protection had been in place in this case, the 198M voters who were potentially impacted could rest easy knowing that their information could never be accessed by malicious actors.”
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
The fact that this exposure was discovered on a public cloud site is irrelevant. In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organisation (and in this case), the organisation’s customer – the GOP. Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.
In this case, the following security best practices would’ve help prevented this type of exposure:
–Identify and Access Management – as part of the access control list mention above, maintaining who has access to what data and when is critical to operational security.
–Encryption – organisations should encrypt as much as possible, whenever it’s possible. According to the statement released by Deep Root Analytics, they stated that they “last evaluated and updated our security settings on June 1, 2017.” It’s plausible that a mistake was made during this update of their security settings, this can happen in any organization, so implementing encryption would have provided a “fail safe” in case the data was accessed by an unauthorised party.
–Log Monitoring and Management – Deep Root Analytic’s statement also says “we don’t believe that our systems have been hacked.” Proper security logging and monitoring would provide much more certainty regarding all the access attempts (authorised or unauthorised) of this data. Organisations that execute a robust log monitoring and management strategy will have better overall situational awareness for their data and system activity.
The potential for this type of data being made available publicly and on the dark web is extremely high. The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customised social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link.”
Richard Anstey, CTO EMEA at Synchronoss:
“
Although security experts have been warning for years of the importance of encrypting such data, it’s clear from cases such as this that it simply isn’t happening.
Strong encryption technologies such as rights management are fundamental to benefiting from the huge efficiencies created by the cloud without compromising privacy.
And it’s worth considering that, should the GDPR have been in force, the probability of EU citizens’ data being involved would have resulted in significant financial penalties for the organisation concerned.
Indeed, the size of penalties under GDPR are specifically designed to focus the attention of organisations with regard to how they handle large quantities of PPI, ensuring they take the utmost care and that responsibility for storage and distribution is embedded in organizational policies from the top down, and not left in the hands of individuals who can make simple mistakes.
Companies spend millions defending their data against attacks from malicious outsiders, but the very significant risk posed by clumsy or unthinking employees is too often ignored.”
Raj Samani, Chief Scientist and Fellow at McAfee:
Peter Carlisle, VP of EMEA at Thales e-Security:
Organisations need to understand just how important implementing encryption is – especially when storing data in the public cloud. Anyone could have accessed citizens’ sensitive data as long as they had a link to it. The impact of this data breach could have been minimised if encryption was used to protect the data in the cloud, and the Republican Party were in control of the keys. With encryption, the information can be rendered useless to a hacker with malicious intent, even against the risks of human error.”
Matt Moynahan, CEO at Forcepoint:
Enabling CISOs and CIOs to understand what the company-wide baseline for ‘normal’ behavior looks like could help to identify abnormal or risky behavior. That’s the only efficient way to proactively protect users, critical data and, most importantly, at the point at which they intersect – at the human point. Unless the security industry embraces this human-centric security approach, we’ll continue to spend more than 100 billions of dollars a year on protecting infrastructure when we should be focusing on understanding people’s behavior.”
Tim Erlin, VP at Tripwire:
“The headline may be the discovery that this data was accessible, but the real concern is who accessed it previously without reporting the misconfiguration.”
“When data is simply left accessible, without basic, foundational security controls, there’s no hacking required to gain access.”
“The cloud may solve many problems, but it doesn’t magically secure your applications or data. Organizations need to ensure they’re implementing the same basic controls, regardless of where the systems reside.”
“Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.”
Paul Calatayud, CTO at FireMon:
Elmar Eperiesi-Beck, CEO at eperi:
“When it comes to using cloud services, administrators and even security specialists have to rethink their positioning and move away from putting all the effort into securing the IT systems to securing the data itself. After all, regulations such as GDPR in Europe demand that the data is protected and will force companies to comply with strict data protection requirements. Narrowing the focus to the data itself is good practice and there are solutions out there that make it easy and convenient for the cloud by providing secure encryption and preserving the full application functionality. The US may need to step up its Data Privacy Policy or it will soon find it is even more of a target.”