Earlier this week, UpGaurd announced their discovery of the RNC’s contracted voter research vendor Deep Root Analyics’ (DRA) 12-day data exposure of nearly 200 million American voters’ information. While leaks of contact details are detrimental enough, both to the individual and the responsible organization, this particular exposure also left the door open to voter preferences on sensitive partisan topics, such as gun ownership and control – a serious privacy violation.
The fact that these confidential files were left on a publicly accessible server should not be a surprise. An organization’s greatest threat is usually not an outside attacker, it’s the people inside the organization and their mistakes that are the most frequent offenders. The DRA’s lack of safeguards around people, processes and policies have culminated in a massive, embarrassing and extremely troubling leak. This event, while it may have been an “innocent” oversight, can’t be brushed under the rug as a simple mistake. It suggests there is zero emphasis on cyber literacy or training within the DRA, a disturbing revelation given the sensitive and private nature of their product and offering.
To boil this down into the root cause, it’s important to recognize that company leadership is ultimately responsible for driving a cyber-conscious culture. The U.S. government is cracking down on sloppy mishandling of sensitive data by assigning responsibility to organizational heads and imposing financial repercussions on those that don’t comply. The recent Executive Order on Cybersecurity of Federal Networks designates agency heads as personally responsible for the cyber risk management of their agencies. Similar sentiment exists in New York’s Department of Financial Services mandate, which places the responsibility of securing customer financial data on the shoulders of company board members and executives. If the embarrassment of disclosing a data breach or leak isn’t enough to sway company executives to take security seriously, then perhaps financial penalties and liability—both personal and company-wide—will help jump-start the cyber awareness culture our country so desperately needs.
The revelation that RNC data was exposed via DRA, and made vulnerable to unauthorized parties, is indicative of a nation-wide cyber conscious culture problem. As exaggerated as it may seem, every cyber attack or data breach is a direct attack on our economy, whether a domestic attacker or abroad. This major data exposure discovery is the latest in a string of incidents that have put our national security and economy in danger. The damages from the NSA leak have only just begun. The Wannacry attack is merely the start to what is possible when bad actors get their hands on our vulnerabilities. The Yahoo breach had a massive financial impact on a leader in the communications industry. The DNC email breach was a threat to our democracy. The Sony hack was an international act of aggression. All of these were preventable had procedures and policies that safeguard information and educate employees on cyber awareness been established company-wide, from the top down. It’s time to show the world that U.S. assets are not available for sale on the dark web, and supporting cyber conscious cultures is the first step in the right direction.