Poor Information Security Practices Lead to Massive Data Leak

A Republican National Committee data analytics firm, Deep Root Analytics, disclosed that as many as 198 million U.S. citizens’ names, dates of birth, home addresses, phone numbers, and other identifiable information were exposed to the internet due to a database misconfiguration. Many firms are hastily moving to the cloud without fully understanding the security implications of doing so. By rolling new cloud implementations, data collection and analysis problems become simpler tasks. However, without a proper security framework around it, data is accessible to the internet and more likely to be retrieved.

Chris Vickery of UpGuard responsibly disclosed the breach to Deep Root Analytics when he discovered 1.1 terabytes of accessible information in an Amazon Web Services S3 (AWS S3) Bucket that had no data access protection layers in place. The dataset appears to be collected from a diverse set of inputs ranging from Reddit posts to official RNC databases such as Americans for Prosperity, TargetPoint, and The Kantar Group. By misconfiguring the S3 bucket data access layers, Deep Root Analytics allowed the UpGuard researcher to locate the data by doing what’s known as “bucket browsing.”

Bucket browsing involves using a standard web browser or url fetching program such as curl or wget and pulling the bucket urls such as http://s3.amazonaws.com/[bucketname]. By selecting company names and dictionary files, locating buckets is relatively easy. There are three possible responses in the XML returned: either “NoSuchBucket” for buckets that do not exist; “AllAccessDisabled” or “AccessDisabled” for correctly implemented buckets denying public access, or the Bucket’s metadata content will be dumped to the screen in tagged text format.

Resolving these issues correctly demands taking the time to create a security policy and requiring adherence by all entities. From the security policy, automation needs to be built around it to ensure compliance when new objects are generated. There needs to be an audit of the security policy before an entity goes into production and automation to ensure the security policy is not reduced after push to production. Cross team functionality among DevOps and embedded security professionals allows greater understanding of the “hows” and “whys” of security research. Data at rest, especially data that is world-accessible, needs to be encrypted at all times with a salted hash. Amazon provides a set of APIs that allows the data to be encrypted on either the server side or the client side depending on the end-user requirements.

Adherence to security best-practices, regular audits, and data encryption could have prevented this data leak. Failure to do so has exposed a large percentage of U.S. citizens to potential identity theft or worse. Until security best-practices become standard in every deployment, data leaks of this size will become more and more common.

---