<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2025765530975009&amp;ev=PageView&amp;noscript=1">

More than just a Data Breach: a Democratic Fundraising Firm Exposure


More than just a Data Breach: a Democratic Fundraising Firm Exposure

On October 17, a member of Hacken cyber risk security team found an unprotected instance in Buffalo TeraStation NAS.

data breach DEM main

NAS (Network Attached Storage) — a portable data storage server that provides access to the client base. These devices are quite popular and are easily manageable via HTTP / HTTPS web interface. Buffalo TeraStation NASs are password-protected by default and are ‘the most secure NAS solutions’ on the market (according to the manufacturer’s site).

However, nobody can protect your digital assets if you disable authentication and, as a result, NAS web interface is indexed by Shodan or any other IoT search engine (Google in IoT world). In lay terms, a misconfiguration had happened what resulted in NAS becoming public.

Who Owns Data?

The NAS in question appeared to be managed by Rice Consulting, a Maryland-based Democratic fundraising firm. According to their site, over 2017 fundraising season Rice Consulting teamed with Democrats to raise $4.32 million.

data breach DEMpic1

(right click to open in a new tab) 

Storage contained detailed information on each of the Rice Consulting client (past, current, and potential), e-mail databases with details on thousands of fundraisers (phones, names, emails, addresses, companies), contracts, meeting notes, desktop backups, employee details, etc.

data breach DEM pic2

(right click to open in a new tab) 

As per Shodan search results, there are more than 700 unprotected Buffalo TeraStation NAS across the US only.

Significance of Data Breach Discovery

The most significant asset available for public was passwords to database resources, including access details to NGP — a privately owned voter database and web hosting service provider used by the American Democratic Party, Democratic campaigns, and other non-profit organizations authorized by the Democratic Party, MDVAN —Maryland Voter Activation Network, DLCC —Democratic Legislative Campaign Committee, and DNC — Democratic National Committee) email accounts. All of those were stored in an Excel file non-encrypted.

data breach DEM pic3

(right click to open in a new tab) 

data breach DEM pic4

(right click to open in a new tab) 

Access log (also available among other files in storage) shows first connections made to the NAS on February 22. It includes IPs from Turkey, South Korea, Thailand among others: scanning engines IPs, like Greynoise, are also there. We suppose that NAS information could have been accessed by non-authorized and even malicious actors.

data breach DEM pic5

(right click to open in a new tab) 

Responsible Disclosure Issues

Immediately upon discovery, we sent email notifications directly to the Rice Consulting management team (luckily, their email was also in one of the files). However, no response was received within 24 hours, so taking into account the sensitivity of data, we called Rice Consulting office next day. A person responding to calls simply hung up.

One of Twitter followers who agreed to help me reach Rice Consulting also had the same issue with communication: “The first person thought I had a marketing call and said "No thank you" and hung up. The second one acted like she was doing me a favor taking down the info”.

Finally, on October 18, public access to NAS device and sensitive files has been disabled and we received a ‘thank you’ note from Rice Consulting. We will update this article if/when we receive answers to our questions.

Lessons Learned

  • With so many unreliable emails floating around, sometimes it is difficult to discern what is legitimate and what is not. Nevertheless, it's not so hard to at least answer a call.
  • Follow cyber hygiene rules on each and every level within your organization:
    • use passwords;
    • do not re-use same passwords on multiple accounts;
    • constantly check your IP environment from the public internet area;
  • When outsourcing your IT tasks, make sure you work with a provider you can trust. A regular independent security audit won’t hurt at all just like the services provided by Hacken specialists.

About Hacken

Hacken is a global cybersecurity consultancy firm. We allow customers to acquire cybersecurity services in a timely and quality manner. Hacken Ecosystem provides a wide range of cybersecurity services; it consists of bug bounty and rewarding platform HackenProof, complex and sophisticated rating service Crypto Exchange Ranks, a set of most needed and valuable cybersecurity services represented in Hacken Hub, and cybersecurity conference HackIT.

Request Consultation

Read also:

Case study: Hacken partners TTC Protocol to Build a Secure Blockchain and Protect Customer Data

FitMetrix exposed millions of customers' records in a passwordless database

Three Simple Steps of How to Become a White Hat Hacker
 
Bob Diachenko

Director of Cyber Risk Research at Hacken. Our goal is to protect data by identifying data leaks and following responsible disclosure policies. Our mission is to educate businesses worldwide. My discoveries are covered by major technology media representing me as a reputable data security analyst. Email: v.diachenko@hacken.io

Enjoy White Hats' quality of service!


We offer Cybersecurity Services that enable Cybercrime prevention for Businesses which lack the scale, expertise, or time to do it themselves.
Follow the experience of ICOs and companies that are cyber-protected now!

Contact us