Partners: Massive RNC Voter Info Data Leak In AWS Highlights Need For Cloud Security Expertise
Partners said the importance of a thorough understanding of cloud security is front and center after a massive leak on an AWS server that exposed voting data on nearly 200 million people.
The data was exposed by a misconfigured database stored on a publicly accessible cloud server, hosted on Amazon Web Services' Simple Storage Service (S3). The exposure was first reported by UpGuard's Cyber Risk Team and discovered by Risk Analyst Chris Vickery.
The data exposed, more than 1.1 terabytes, includes personal information on more than 198 million American voters, including names, dates of birth, home addresses, phone numbers, voter registration details, and more.
[Related: How Private Is Your Public Cloud? Stacking Up Google, Microsoft And AWS Data Privacy]
An UpGuard report on the findings said the data repository, which was owned by Republican National Convention-contracted marketing firm Deep Root Analytics, "lacked any protection against access." The report said anyone with an internet connection could navigate to the "dra-dw" bucket then could download the contents of the data warehouse. UpGuard said there was an additional 24 terabytes of data stored that also had not been configured correctly.
"That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling. The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations," the UpGuard report said.
Michael Crean, president and CEO at Woodbridge, Va.-based Solutions Granted, said incidents like this highlight the need for customers to make more informed decisions when it comes to implementing security solutions and compensating controls when migrating to the cloud.
"This isn't just about the RNC or about AWS. This is truly about all cloud services. Many, many organizations, especially with Office 365 … are moving to the cloud, but a lot of people have not thought about security services when it comes to the cloud," Crean said. "I think an incident like this really starts to materialize what is happening out there … Events like this are 'a-ha moments' and provide validation to our customers that this is a real challenge."
While this incident is extensive, Crean said the challenge around cloud security is even more far-reaching. He said more and more small and medium businesses are migrating to the cloud for cost and efficiency benefits, but may not be aware of the security concerns of the cloud.
"This is truly the beginning," Crean said. "There is probably massive amounts of data leakage, and that will continue to happen. People need to wake up and remember that they are responsible for the choices they make on where they put their data … As consumers, we want to know our data is safe."
UpGuard agreed in its report. The company said incidents like this add to the "increasing inability to trust in the integrity of information technology systems, particularly at scale." It said similar incidents could be prevented if stakeholders follow best practices in collecting and storing data.
"The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide … Despite the breadth of this breach, it will doubtlessly be topped in the future — to a likely far more damaging effect — if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems," the UpGuard report said.
The problem of misconfigurations in cloud platforms isn't uncommon. According to a study by cloud security company Threat Stack, 73 percent of companies had at least one critical security misconfiguration, with the most common misconfigurations around SSH connections.
To prevent these issues, Eric Sessums, cyber security program developer at Tampa, Fla.-based NetWolves, said companies need to implement proper access controls and encryption. Without those tools, he said Amazon S3 cloud servers can expose data to the public. He said NetWolves is also adding a cyber command center to provide employee training, which he said can add an extra layer of security around the cloud.
"Better security configuration controls, access management, and cybersecurity personnel training is one of the ways to prevent exposure of sensitive data," Sessums said. "Training employees and contractors on cybersecurity procedures should always be on the forefront of any cybersecurity team’s practice."
Solutions Granted's Crean said companies should also to cloud access security broker (CASB) solutions to not only initially secure cloud environments, but maintain security on an ongoing basis. He said a CASB solution is a tool that "could have easily stopped this from happening." He said partners can play a key role in helping customers navigate their move to the cloud in a secure way.