[BreachExchange] Voters' data was left exposed online because of course it was

[Audrey McNeil]

https://mashable.com/2018/07/18/voter-data-exposed-robocall-company/

Sure, our ballot may be secret. But our voter data? Yeah, not so much.

Our most recent reminder of this disconcerting truth: Bob Diachenko, a
self-described cybersecurity enthusiast who works for an IT development
firm, discovered an online database containing information on thousands of
US voters. The apparently misconfigured database, which belonged to a
Virginia-based robocalling firm, reportedly included voters' names,
addresses, phone numbers, and political affiliation, along with other
personal information.

And it was all there for the taking.

Diachenko describes the unprotected dataset as containing "Hundreds of
thousands [of] US voter data," but clarifies in the same blog post that
there were 2,594 "listed files." Because a single file could conceivably
contain thousands of individuals' data, the exact number of people whose
data was exposed isn't immediately clear.

But RoboCent, the robocalling firm behind the exposed database, attempted
to minimize the implications of Diachenko's findings. Though firm cofounder
Travis Trawick confirmed RoboCent's involvement in a statement to ZDNet, he
maintained that the data was from "an old bucket from 2013-2016 that hasn't
been used in the past two years."

Trawick's firm offers customers access to "thousands of voters, instantly"
— but that's not all RoboCent provides.

"Clients can now purchase voter data directly from their robocall
provider," the company explains on its website. "We provide voter files for
every need, whether it be for a new robocall or simply to update records
for door knocking. Our simple request process allows users to choose
exactly who to target with no minimum order."

You can see how such a service might be useful to a bad actor trying to, I
don't know, influence an election.

And the cost? Why that would be just $.03 per record. Or, if you knew where
to look online, free. According to Diachenko, the dataset was left in a
misconfigured and self-titled AWS S3 bucket.

We reached out to RoboCent in an attempt to confirm Diachenko's claims, as
well as to determine how long the data had been left exposed, how many
people were potentially impacted, and whether the company was aware of any
specific incidents of inappropriate access. We received no response as of
press time. We also reached out to Diachenko with the hope of getting to
the bottom of this, but did not hear back from him as of press time,
either.

Whether it be 2,600 people or several hundred thousand people, it's not a
good look for RoboCent to be allegedly exposing voter data to the public.
Unfortunately, this kind of security lapse is something we're all going to
only have to get used to going forward (if you haven't already).

Because even if companies like RoboCent aren't paying attention to their
digital security, you can bet others are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180719/a4466c11/attachment.html>