UPDATED 22:24 EDT / JULY 18 2018

INFRA

Robocall company exposes voter records via misconfigured Amazon cloud instance

Everybody hates robocalls. Now there’s a new reason to hate them, after one leading company exposed voter information online via an unprotected Amazon.com Inc. cloud storage instance.

The latest entry in the cloud misconfiguration hall of shame comes via Kromtech Security’s Bob Diachenko, who discovered that Virginia-based political campaign and robocalling company RoboCent Inc. had exposed 2,594 files that included audio files with prerecorded political messages for robocalls and voter data.

The voter data consisted of personally identifiable information, including:

  • Full Name, suffix, prefix
  • Phone numbers, both cell and landlines
  • Address with house, street, city, state, zip, precinct
  • Political affiliation provided by state, or inferred based on voting history
  • Age and birth year
  • Gender
  • Jurisdiction breakdown based on district, zip code, precinct, county and state
  • Demographics based on ethnicity, language and education

Although not providing a total number of records exposed in the files, ZDNet pegged the number of voter records in the hundreds of thousands.

Although voter records in particular are publicly available, some states prevent the data from being used for commercial purposes.

Diachenko noted that he contacted the company before going public to get it to secure the data, which the company did. But it’s not clear whether the data had been accessed prior to that, particularly given that the data had been cached by sites such as Grayhat Warfare that scrape cloud storage instances such as those on Amazon Web Services’ S3 service.

Sam Bisbee, chief security officer at Threat Stack Inc., told SiliconANGLE that voter data is extremely sensitive. Leaks such as this “highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information,” he said. “It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time.”

Bisbee noted that “many companies have critical AWS cloud security misconfigurations” because it’s an easy mistake to make. “AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility,” he said. “Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”

Photo: Tom Arthur/Wikimedia Commons

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.