As the calendar ticks closer to November and the cycle nears a close without the kind of sensational hacking story that dominated past presidential cycles, practitioners would be forgiven for thinking that the threat of a cyber security breach is trending downward.
In fact, the opposite is true, according to an expert in the space.
Defending Digital Campaigns recently released a report on research conducted by cyber security vendor VoterGuard that found 27,000 personal accounts and passwords related to campaigns were available online.
This figure represents exposed and breached accounts, both of which contain a risk for the account holder. “Even if a password hasn’t been exposed, attackers can still use the publicly available details from exposed accounts to craft convincing social engineering or phishing attacks,” DDC wrote in a blog post. “For local campaigns, where volunteers and staff often use personal emails and repeat passwords, this significantly increases the chances of account takeover.”
Michael Kaiser, president & CEO of DDC, told C&E that “not only are these things that might be exposed through unintentionally, maybe through social [media], but that you could cobble that together with stuff on the dark web from data breaches, and you could get really a lot of information about some of these people and some of that information makes it really actionable.”
Despite the near-end of the cycle, Kaiser said the risk of a possible breach hasn’t subsided. In fact, he pointed to the recently thwarted DDS attack on the Georgia secretary of state’s absentee voting website as an example of how high the threat level remains.
“That’s a relatively easy attack to do, and this is the moment that that would happen,” he said. “This is where if you want to have an impact.”
There’s also been reports of attempts by the Chinese government to hack the phones used by former President Trump and his running mate, JD Vance. And beyond those high-profile hacks, another report showed that some 75 percent of Senate campaign websites hadn’t achieved Domain-based Message Authentication, which leave them vulnerable to spoofing and phishing attacks.
Kaiser has long said that DMARC authentication is a basic cyber hygiene practice — as is using a password manager. “You can check your passwords on the dark web to see if any of them have been compromised —and it will tell you,” he said. “At this late state, they should assume that it is out there and that they should just adopt a Passkey [for the] campaign.”
