It was reported this morning that VoterVoice, a “grassroots advocacy system” that allows lobbying firms and groups to alert concerned citizens about hot-topic issues, left a server exposed that contained over 300,000 unique email addresses, home addresses, phone numbers and other personal information that could indicate political persuasions and religious beliefs. The server was discovered by an ethical security researcher; however, the server was exposed for an unknown amount of time meaning that an individual with nefarious intentions could have found it first.
Expert Comments:
Brian Johnson, CEO and Co-founder at DivvyCloud:
“Companies that suffer data leaks due to misconfigured infrastructure should always be thankful when ethical security researchers discover them instead of malicious actors. However, in VoterVoice’s case, the infrastructure was exposed for an unknown amount of time meaning that nefarious individuals could have already accessed sensitive information without anyone knowing. Being compromised is bad enough, but being compromised and not knowing it is much worse. All companies should have security tools and plans in place to proactively avoid any data leaks.
Organizations must be diligent in ensuring the consumer data they are entrusted with is protected with proper security controls. Organizations need to focus on internal operations. Databases, storage containers, search engines, and other cloud data repositories are often incorrectly configured. For example, the container permissions may be too broad, allowing anyone to access the data. Containers may have been serviced by people who aren’t familiar with cloud security. These misconfigurations are often the result of something as simple as a developer that was unaware of how to properly secure the cloud service, or a simple oversight. For example, a developer may have tweaked a storage container configuration as part of troubleshooting, leaving it open to the public. Once the application began working again, they moved on to another project completely forgetting about the exposed storage container. There are dozens of situations that may result in changes to a container’s configurations. Organizations are often made vulnerable because they don’t have processes in place to prevent or manage insecure software configurations and deployments.
That is why companies must invest in cloud operations (CloudOps). CloudOps is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools. Automated cloud security solutions give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time.”
Ruchika Mishra, Director of Products and Solutions at Balbix:
“VoterVoice was warned by security researchers and journalists that a server was left exposed and unfortunately decided to ignore these warnings, showing a blatant disregard for the privacy of American citizens. Failing to take immediate action after a misconfiguration like this is identified heightens the risk of personal information being obtained and misused by malicious actors. Organizations that interact closely with elected government officials need to take a much more stringent approach to security. Leveraging security tools that use artificial intelligence to continuously monitor for vulnerabilities and misconfigurations, so these issues can be identified and remediated in real-time, is a must. Giving voters an outlet to communicate with elected officials is great in theory, but only if that communication is kept secure and the public has trust in both the platform and process.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.