Security Central: Glitch Leaves Alaskan Voters Out in the Cold, SEC Reveals Breach

Oops!… They did it again. For what seems like the billionth time, U.S. voter records have been exposed, this time targeting Alaska. A cache of voter records containing the personal information of nearly 600,000 voters in Alaska was inadvertently exposed online. The culprit? An unsecured CouchDB database. And just, you know, a giant oversight.

The cause of the hack was discovered by researchers at the Kromtech Security Research Center, who determined that the database of about 593,000 voters (that’s every registered voter in the state of Alaska) was accidentally configured for public access. That means it was just out there, floating in the breeze without any sort of password protection or security wall, making it accessible to anyone who knew where to look. No logging in, no verification, nada.

The exposed records contained the usual sensitive data of prospective voters including names, addresses, dates of birth, ethnicity, marital status and voting preferences. This time, though, it went deeper than that. They also contained extremely personal information such as household income, the age ranges of children, whether the person is a homeowner and stances on controversial issues such as climate change, gun control and tax reforms.

The voter database had been compiled by the leading broker of voter data TargetSmart, but appears to have been stored in a misconfigured online database by the marketing group Equals3 which purchased the list from TargetSmart. 

“In this era of pervasive data-driven sales, marketing and operations, data is the raw material for successful businesses and political campaigns,” said Zohar Alon, co-founder and CEO, Dome9. “It is more important than ever to define strict controls and practices for the handling of sensitive data, especially when there are multiple vendors touching the data.”
 
Alon goes on to say that attackers are looking for two things: repositories with data of value to organizations and weak security practices. As more data makes its way to the public cloud and security practices around CouchDB become more standardized and robust, attackers will shift their attention to other low-hanging fruit, end exploit commonly known security gaps such as misconfigurations.

Hard to miss the lesson here. Even though disaster was avoided in this case, it’s a good reminder for customers and providers alike.

Our second story shines a spotlight on the Securities and Exchange Commission (SEC). The institution revealed this week that hackers had previously breached its store of files on publicly traded companies. Previously, as in last year. As in 2016.

On Wednesday, SEC Chairman Jay Clayton released an eight-page statement on cybersecurity that describes the 2016 system breach of EDGAR, a platform which collects detailed financial reports on publicly traded companies that they’re required by law to release. According to Clayton, the company was completely in the dark on this – they didn’t discover until last month that the breach could have served up important and private information that hackers could exploit to make illegal trades.

Back in July, the Government Accountability Office released a report that found deficiencies in the SEC’s information systems that “limited the effectiveness of the SEC’s controls for protecting confidentiality, integrity and availability.” And here’s the kicker – the report also found that the SEC did not always encrypt information and had failed to fully implement recommendations that would help detect intrusion.

SEC’s new director, Walter J. Clayton, has said the agency would work to improve its cybersecurity protections. “We must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Our final story takes a look at new findings from part one of Intermedia’s 2017 Data Vulnerability Report, which looks at the security behavioral and general work habits of more than 1,000 office workers in the United States.
 
The report states that as security threats like ransomware and phishing expand in scope and damage, anyone who works in an office (from CEOs all the way to interns) will continue to fall victim to and serve as the prime target for such attacks, despite an organization’s effort to educate and train their employees on security best practices.
 
Here are a few of the key findings:

The report also touches on the disparity between the number and severity of attacks in recent years and the surprising lack of employee training. “Today’s rapidly changing threat landscape makes it more important than ever for companies to educate employees on new types of cyberattacks and vulnerabilities,” says Ryan Barrett, Intermedia’s Vice President of Security and Privacy.

Barrett uses the recent Equifax breach as an example. The attack was “by far the most invasive when you consider the sheer amount of sensitive personal data that’s been accessed. This incident further arms scammers and hackers with information to craft exceptionally compelling, targeted phishing attacks. At this point, businesses should assume that bad actors are going to try to use this information to gain access their systems.”

Can we get an “amen?”

The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.​