Cybersecurity experts speculate that in our current state, up to 70% of cyber attacks, including breaches, go undetected in a given year. Part of identifying and stopping breaches is knowing what kind of information cybercriminals are after, and election season creates hotbeds of public information that are prime targets for a breach.
The companies that house this information are, of course, responsible for keeping your data protected, but things don’t always go according to plan. Case in point: During the 2016 election season, GOP analytics firm Deep Root Analytics left the door wide open for crooks to access 198 million Americans’ voting information.
Politicians Prosper, Voters Are Exposed
Deep Root was hired to gather the information to support what would become the successful 2016 GOP presidential campaign. It included names, birthdays, phone numbers, voting information and even home addresses.
The company stored all this information on a database which researcher Chris Vickery discovered was misconfigured. The error meant there was no access protection for the database. Anyone with an internet connection could view and potentially steal the personal information of nearly 2 million Americans.
The database also included modelled positions, strategic information used by the GOP to market its campaign to voters. Had a major retailer allowed this type of information about their customers to get out, it probably would have been all over the news. Thankfully, it appears that while the door was left open, there were no nefarious attempts to access the data made during the 12 days it was unprotected.
Deep Root Responds to the Breach
With the number of cybersecurity issues surrounding the 2016 election year already staggering, Deep Root has taken a transparent stance toward the information leak. In a statement, the company encourages voters to monitor their accounts for fraudulent activity. They also attempt to temper the blow by pointing out that much of this info is public domain in some states.
Presumably, not all of Deep Root’s customers are political parties, and the field of data analytics is growing rapidly. In a business setting, critical analysis of data not unlike what Deep Root gathered can help businesses decrease operating costs by 60 percent or more. That’s a service you can charge for, and chances are Deep Root doesn’t want to forfeit any more customers than it has to in the wake of such a major error.
To remedy the exposed database, Deep Root updated access settings to the information, adding the layers of security that should have been in place to begin with.
White Hat Probing Uncovered the Error
While it might sting a little now, Deep Root is fortunate that consultancy firm UpGuard was around to point out the issue. Had it been left unattended to, there’s no telling where the information could wind up. Probably on the dark web, just like the Yahoo account information that has been up for sale there for half a year now.
Chris Vickery, the man who located the flaw in Deep Root’s system, is just one of many researchers engaged in locating and reporting these types of errors every day. While you might not hear about them, they play a critical role in ensuring the security of your data.
Google’s Project Zero is one such operation, a dedicated department of the 800-pound internet gorilla focused solely on uncovering vulnerabilities and thinking like cybercriminals. Their goal is to find the flaws before bad guys get there, and oftentimes they do. When an issue is found, the Project Zero coders report it to the organization responsible so they can apply a patch or remove the vulnerability.
Is Privacy a Reasonable Expectation Anymore?
Can the efforts of these good-guy hackers ever fully curtail the leak of information that has been gushing out of the internet since, well, probably before we even know?
Maybe not, but through careful regulation and fastidious maintenance, we can patch the easy holes. Deep Root got lucky — it committed a blatant error and wasn’t punished for it.
Just like burglary, data breaches are nearly always a crime of opportunity. If you leave the front door wide open, you had better expect someone to come waltzing in.