A consumer-grade network attached storage (NAS) device owned by Rice Consulting, a fundraising firm working primarily with the Democratic Party, containing client data and passwords giving access to other organizations, was left publicly accessible, a cyber security research firm discovered.
The factory-set authentication of the Buffalo TeraStation NAS device was disabled, leaving it open to being spotted and indexed by Shodan or Google’s IoT search engine.
The data leakage has highlighted the firm’s failure to implement basic security measures to protect swathes of highly sensitive voter and donor data.
Evans, Senior Director at One Identity:
This brings to light the real problem with the proposed California legislation, which intends to ensure the security of IoT devices by requiring unique passwords, among other measures. Like in this most recent case, administrators and users may simply change or disable those security features for convenience making a device or system inherently unsecure.
Enterprises would be best served at looking at the myriad options for automating the management of their privileged accounts to ensure leaks like this don’t happen again.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.