During the 2016 election, the Republican National Committee (RNC) hired Deep Root Analytics (DRA) to analyze political voting behaviors of Americans. DRA is storing 25 terabytes of sensitive voter information in an Amazon Simple Storage Service (Amazon S3) bucket.
On June 12, a cybersecurity researcher discovered that the Amazon S3 bucket was publicly exposed due to a common misconfiguration.As a result, sensitive personal data such as name, address, date of birth, phone number, and party affiliation belonging to over 198 million registered American voters from all parties was exposed. In addition, DRA had created advanced algorithmic modeling in categories such as religion and ethnicities to understand political preferences.
Voter data, as a general rule of thumb, is public. However, how you vote is always private and obtaining this information is not easy. If obtained, this data must not be used for commercial purposes. Moreover, different states have laws that restrict the distribution of the data and how it can (or cannot) be accessed on the internet. For example, California prohibits the distribution of voter data outside of the U.S.
This breach has led to the exposure of 99% of American voters’ records and puts the shared responsibility model of cloud platforms like Amazon Web Services (AWS) in the limelight once again. While it will be easy for people to point fingers and claim that the cloud is insecure, the reality is that it is an organization’s responsibility to ensure that its networks, users and resources are securely configured in the cloud. The RedLock Cloud Infrastructure Security Trends Report from May highlighted that over 40% of organizations have accidentally exposed data stored in at least one cloud storage service such as Amazon S3.
Public cloud infrastructure such as AWS can be highly secure if configured correctly by organizations adopting such services. Poor risk posture in the cloud is a result of organizations rushing to deploy services in the cloud without the appropriate security visibility and monitoring controls in place.
A few months ago, the RedLock Cloud Security Intelligence (CSI) team issued a security advisory that provides details on the Amazon S3 misconfiguration risk. It also recommends best practices to avoid the issue.