As the US elections are nearing, reports about hacks and data breaches involving political parties seem to repeatedly surface online. Recently, a researcher has discovered an unsecured NAS device exposing a large chunk of sensitive data online. The device allegedly belonged to a consulting firm that handles the data of Democratic Party fundraisers.
Democratic Party Fundraisers Data Leaked Online
Researcher Bob Diachenko allegedly stumbled upon an unsecured instance of Buffalo TeraStation NAS device. While finding an unprotected Buffalo TeraStation NAS isn’t surprising, what caught his eye is the type of data the device leaked. Upon investigation he found the data belonged to a consulting firm managing Democratic Party Fundraisers.
According to his findings, the NAS device belonged to Rice Consulting who are based in Maryland. The data leaked here included sensitive information about the political fundraisers. These details include names, contacts numbers, email addresses, physical addresses, and companies of fundraisers, in addition to other stuff such as meeting notes, contracts, backups, and employee details, etc.
Moreover, the device also held other sensitive stuff that was exposed online. As listed by Diachenko,
“The most significant asset available for public were passwords to database resources, including access details to NGP (a privately owned voter database and web hosting service provider used by the American Democratic Party, Democratic campaigns, and other non-profit organizations authorized by the Democratic Party), MDVAN (Maryland Voter Activation Network), DLCC (Democratic Legislative Campaign Committee) and email accounts (incl DNC, Democratic National Committee email accounts).”
What’s more ironic is that all this data was simply stored unencrypted in the device, in plain text Excel files!
Researcher Noticed Weird Response Of Rice Consulting
Diachenko stated that he discovered the unsecured NAS device leaking the data on October 17, 2018. After discovering the data, the researcher reached out to the said firm to inform them of the vulnerability. He did not receive any response from the firm officials to his calls and emails.
A Maryland-based Dem fundraising firm leaking data. All of them, as a result of a server lapse. No response for more than 24 hours, “I think you’ve dialed the wrong number” – the only response I have when trying to call them. Anybody willing to assist and communicate it right?
— Bob Diachenko (@MayhemDayOne) October 18, 2018
However, contacting anybody at the consulting firm seemed impossible. Nonetheless, after a day, he received a mere “thank you note” from the consulting firm when he noticed that they disabled the public access to the data.
Although the firm fixed the matter, the strange response to this matter by the officials is noteworthy. Commenting about this reaction, he said,
“I agree that with so many unreliable emails floating around, sometimes it is difficult to discern what is legitimate and what is not. But it is not so hard to at least listen to a messenger.”
Take your time to comment on this article.