Crippling cyber assaults, Russian intelligence email phishing, ransomware, nefarious rival operators acting as black hat hackers — it’s enough for consultants to long for the old analog days.
Now, consultants can add cyber security experts as another online danger to their digital livelihoods.
These white hats are actively scouring for open, misconfigured databases online. A political discovery can make their reputations and damage those in the industry caught unaware.
The recent case of Deep Root Analytics is the latest example. Chris Vickery, a cyber risk analyst with UpGuard, discovered an open Amazon cloud storage bucket that “included 1.1 terabytes of entirely unsecured personal [voter] information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust.”
His published findings produced a plethora of headlines and no small amount of embarrassment for a firm that “builds voter models to help enhance advertiser understanding of TV viewership.” But whether public embarrassment was enough to hurt Deep Root’s bottom line, even rival digital consultants disputed.
“Hearing about a whole list of voters leaking online gets more press than a list of people who like toothpaste leaking online,” David Radloff, co-founder of the Democratic firm Clarity Campaign Labs, said Thursday during a C&E panel in D.C. “It’s gets blown out of proportion I think.”
IMGE’s Ashleigh Grant said of the incident: “It shakes folks a bit, they’re like, ‘this is my life, it’s my privacy.’ But this isn’t anything new. Not to sound flippant, this is unfortunately just 2017.”
While Deep Root took responsibility for the incident, the firm blamed the exposure of “proprietary information as well as voter data” on “a recent change in access settings.”
Republican digital consultant Joshua Sharp, co-founder of Advoc8, said that while it’s incumbent upon any organization handling data to have the proper procedures in place, the risk of human error can never be entirely eliminated.
“Human error can happen, not just in data modeling, [but in] every aspect of a campaign,” Sharp said. “How many other mistakes have campaigns made that cause a headline? This is another one.”
Dan O’Sullivan, a cyber resilience analyst with UpGuard, argues the firm should have known better, in part because Amazon’s storage buckets are “notorious” for being left unguarded. Moreover, O’Sullivan said, “If you had a software update that caused a misconfiguration you should have procedures in place to notify you of that configuration,” he told C&E.
Asked if Deep Root felt its reputation has suffered from the incident, a spokeswoman for the firm responded: “DRA is focused on its internal investigation with cyber security firm Stroz Friedberg and on continuing to provide industry-leading insights and service to clients.”
Deep Root isn’t the first firm to have a vulnerability exposed by Vickery. He was also the first to reveal the existence of the open database connected to NationBuilder that contained voting records of 191 million registered U.S. voters.
Now, O’Sullivan denied his company’s analysts were gunning for consulting firms, instead insisting that Vickery was simply “looking for exposed databases.” Of his latest discovery, Vickery wrote it could be the “largest known exposure of voter information in history.”
“This is such a common problem. Any enterprise that’s relying on internet-facing systems will have the issues of cyber risk — of not knowing if databases are configured correctly,” O’Sullivan said.
Deep Root took responsibility for the breach, but it could still have far-reaching repercussions. There’s currently a lawsuit pending against the firm, which could become a class action. The company dismissed the suit as “entirely without merit” and stated: “We will fight it vigorously.”
But its reputation may take a hit. In NationBuilder’s case, the open database may have undercut the impact of its attacks against competitors, including NGP VAN. To other cyber security experts, the incident was just the latest example of the consulting industry ignoring a looming problem.
"The political ecosystem still hasn't learned the lessons of 2016,” John Bambenek, a cyber security expert, told C&E in reference to the bucket breach. “There is no excuse for what happened and these guys are far from the only ones with sloppy security.”
James Norton, a cyber security consultant and former Homeland Security official, disagreed. He said that the campaign industry is thinking more about online security, it just isn’t yet making investments to improve its situation.
“After recent events, campaign and political operatives clearly know that they must do more to protect their treasure troves of information from bad actors,” he said. “It is less clear, however, that they understand how to do that.”