blvdone - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: RNC voter database left open to the public

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors discuss how the Republican National Committee's voter database was accidentally exposed in an Amazon S3 bucket.

Continuing a string of recent mishaps with exposed data in the cloud, a massive voter database compiled by the Republican National Committee was left open to the public, exposing information on nearly 200 million American voters.

According to a report from cybersecurity vendor UpGuard Inc., a data analytics firm working on behalf of the RNC for the 2016 U.S. presidential election accidentally exposed the voter database on Amazon's Simple Storage Service (S3). Chris Vickery, an analyst with the UpGuard cyber-risk team, discovered the open Amazon S3 bucket, which had no password protection or access control of any kind, and which contained a misconfigured database with the private information on 198 million registered voters. According to the UpGuard report, the information included dates of birth, home and mailing addresses, phone numbers, registered party, voter registration status and other data, as well as projections on voters' modeled ethnicity and modeled religion.

It's unclear if unauthorized parties accessed the RNC voter database during its undetermined time of exposure. The error jeopardizes a huge investment in data analytics made by the RNC to help the Republican Party secure the White House in 2016. The exposure of the Amazon S3 bucket also affects the privacy of the vast majority of American voters.

In this episode of the Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss the impact of the voter database exposure, why so many S3 buckets are left open and how voter data can be used for weaponized identity attacks.

Next Steps

Risk & Repeat: Symantec certificate issuance under fire again

Risk & Repeat: James Comey warns of more Russian hacking

Risk & Repeat: Shadow Brokers launch subscription service for zero-day exploits

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the best ways to protect Amazon S3 buckets from exposures?
By default only the creator of the S3 bucket has access,  or you can click a check mark to allow unlimited public read access which takes one more second.

To protect S3 buckets, Amazon wants you to create user accounts for each user needing access,  the using IAM security grant appropriate permissions on that bucket to users ( unfortunately that is all done via scripting language ) so must non IT folks give up way before then and will not create and past the correct code needed into the web page.

Amazon S3 is designed for access by programmers and professional scripts and not by  those without extensive Amazon training,  which causes this problem.   The GUI lets those folks create the bucket and make it public with a few clicks, but does not allow that type of person to secure it.   Even a programmer that doesn't have Amazon specific knowledge would take a few hours to figure out IAM permissions the first time.

It's assumed that the person accessing this interface is a professional IT and security expert if they have sensitive data. 

The only solution are fines.  The DNC could have put fines in the contract with this research firm if any data was leaked.  But that would certainly drive up the cost of the contract,  and slow down delivery - so that is why we will continue to have these issues.

Sorry for mis-spellings above,  I don't see any Edit button to fix them.

Amazon also recommends changing IAM security credentials each month or so,  and that means scripts need to run to make these changes,  Normal users will not do this.

If you have sensitive data - Amazon is expected you to write custom code to do all this for the end users.     End users have no business using S3 with sensitive data.   Most people don't understand the fact that Amazon is still basically a programming interface,  with a few new web front-ends added on to make some initial tasks easy,  but you still have to program it for real work.