[BreachExchange] Democratic Senate campaign group exposed 6.2 million Americans’ emails

Destry Winant destry at riskbasedsecurity.com
Wed Aug 7 10:04:28 EDT 2019


A political campaign group working to elect Democratic senators left
on an exposed server a spreadsheet containing the email addresses of
6.2 million Americans.

Data breach researchers at security firm UpGuard found the data in
late July, and traced the storage bucket back to a former staffer at
the Democratic Senatorial Campaign Committee, an organization that
seeks grassroots donations and contributions to help elect Democratic
candidates to the U.S. Senate.

Following the discovery, UpGuard researchers reached out to the DSCC
and the storage bucket was secured within a few hours. The researchers
shared their findings exclusively with TechCrunch and published their

The spreadsheet was titled “EmailExcludeClinton.csv” and was found in
a similarly named unprotected Amazon S3 bucket without a password. The
file was uploaded in 2010 — a year after former Democratic senator and
presidential candidate Hillary Clinton, whom the data is believed to
be named after, became secretary of state.

UpGuard said the data may be people “who had opted out or should
otherwise be excluded” from the committee’s marketing.

Stewart Boss, a spokesperson for the DSCC, denied the data came from
Sen. Hillary Clinton’s campaign and claimed the data had been created
using the committee’s own information.

“A spreadsheet from nearly a decade ago that was created for
fundraising purposes was removed in compliance with the stringent
protocols we now have in place,” he told TechCrunch in an email.

Despite several follow-ups, the spokesperson declined to say how the
email addresses were collected, where the information came from, what
the email addresses were used for, how long the bucket was exposed, or
if the committee knew if anyone else accessed or obtained the data.

We also contacted the former DSCC staffer who owned the storage bucket
and allegedly created the database, but did not hear back.

Most of the email addresses were from consumer providers, like AOL,
Yahoo, Hotmail and Gmail, but the researchers found more than 7,700
U.S. government email addresses and 3,400 U.S. military email
addresses, said the UpGuard researchers.

The DSCC security lapse is the latest in a string of data exposures in
recent years — some of which were also discovered by UpGuard. Two
incidents in 2015 and 2017 exposed 191 million and 198 million
Americans’ voter data, respectively, including voter profiles and
political persuasions. Last year, 14 million voter records on Texas
residents were also found on an exposed server.

Although the DSCC’s data exposure contains less damaging information
than similar exposed sets of voter data, it represents another
embarrassing lapse around political campaign data security.

“This list contained only email addresses, but other political data
sets contain far more information on individuals, down to
psychographic information such as their habits, behaviors, and likely
beliefs,” said UpGuard. “The same things that make this data valuable
to political campaigns makes it valuable to malicious actors — intel
on individuals that can be used to contact and influence them.”

“If political data can be exposed for ten years, the risk created by
that data has an unknown half-life,” the researchers said.

More information about the BreachExchange mailing list