[BreachExchange] Republican polling firm's database was hacked, exposing donor records

[Destry Winant]

http://www.zdnet.com/article/republican-polling-firm-hacked-exposing-donor-records/

A Republican phone polling firm has been hacked, exposing data on
hundreds of thousands of Americans who submitted donations to
political campaigns, ZDNet has learned.

Several database files, one of which totaled 223 gigabytes in size and
amountied to about two billion lines of data, was stolen in January
from Victory Phones, a Grand Rapids, MI-based automated phone research
and data compilation firm.

Victory Phones carries out polling on behalf of Republican candidates,
which have spent hundreds of thousands of dollars on predicting the
outcomes of political campaigns. The company uses phone calling to
conduct polls on massive scales and flood the Republican voter base
with "get out to vote" phone calls. The company also allows campaigns
to carry out political fundraising.

It's thought that the stolen database primarily related to individual
donations made to political campaigns, given the types of information
found in the database.

According to public records, the company gave $207,602 to a campaign
by Rand Paul (R-KY) and $79,646 to Martha Roby (R-AL). The company
also gave $103,977 to the Republican Party of Michigan, where the
company is located, and $64,229 to the Republican National Committee,
among others.

The data contained 166,046 unique email addresses, according to Troy
Hunt, who runs data breach notification service Have I Been Pwned, who
was sent a copy of the database.

The data contains names, postal and email addresses, phone numbers,
genders, and donation amounts.

Hunt also reached out to several individuals whose data was found in
the files. All of those who responded confirmed that they recognized
their data when it was supplied to them.

One file contained employee usernames, and hashed and salted
passwords, postal addresses, and the IP addresses of where users
logged in from.

When reached, the company's chief executive David Dishaw wouldn't
comment on the data's "veracity or validity."

He added: "We can confirm that in early January 2017, we were one of
tens of thousands of users whose MongoDB instance was hacked. We
received no ransom note or communication regarding this intrusion, in
the immediate aftermath, or up until even now. We took steps to
enhance the security of our data, and notified our users at that time
of the breach. We will continue to keep them up to date as we come
into any information that is relevant."

The breach lines up with a wave of attacks against 27,000 unsecured
MongoDB databases which were stolen and ransomed early this year. Many
of the poorly configured databases contained no password, and would be
accessed and downloaded by hackers, who would then replace the
databases with a ransom note.

At the time of writing, a server belonging to the company with an open
database port is still indexed on Shodan, the search engine for
unprotected devices and databases.

The breach may not be significant in terms of numbers of individuals
affected compare to other breaches of voter information -- much of the
data is already public on the Federal Election Commission's website.
But the hack represents yet another data exposure at a time of
heightened concern about election interference.

"We saw a lot of compromised MongoDB instances in late-2016 and early
2017," said Hunt, in an email to ZDNet.

"There's no sugar-coating that it only happened because organisations
put their databases in publicly facing network segments and left them
entirely unprotected without so much as a password," he said.

"This is yet another reminder of how much data is out there
circulating around the web, often from incidents some time ago," said
Hunt. "It also reminds us that even when the organisations charged
with protecting the data lose it and realise their mistake, there's
still no guarantee that the owners of the data will ever hear about
it."

Hunt added that 75 percent of email addresses were already in Have I
Been Pwned's database.