A consulting firm that works with Democratic campaigns unknowingly left sensitive fundraiser information and credentials to old voter record databases open on the internet, according to a report published on Wednesday.
Cybersecurity company Hacken says it discovered an unprotected network-attached storage (NAS) device managed by Rice Consulting, a Maryland firm that provides fundraising and mass communication to Democratic clients. Authentication was reportedly disabled on the NAS, and Hacken says that it was indexed by Shodan, an Internet-of-Things search engine.
With its contents publicly accessible, the NAS revealed details about Rice Consulting’s clients as well as details about “thousands of fundraisers,” Hacken says. Those details include names, phone numbers, emails, addresses and companies. There were apparently also contracts, meeting notes, desktop backups and employee details.
Rice Consulting did not respond to an email request for comment on the Hacken report. When CyberScoop called the firm, the person who answered said “There’s no one here who can tell you anything,” and hung up.
Hacken said it tried contacting Rice Consulting, initially to no avail. The company also reportedly did not respond to emails and hung up when Hacken called.
“Finally, on October 18, public access to NAS device and sensitive files has been disabled and we received a ‘thank you’ note from Rice Consulting,” Hacken said. “With so many unreliable emails floating around, sometimes it is difficult to discern what is legitimate and what is not. Nevertheless, it’s not so hard to at least answer a call.”
Hacken also said that it found unencrypted spreadsheets full of credentials to databases managed by a company that collects voter information and provides technology services for Democratic campaigns. The company, NGP VAN, said that the databases in question were outdated and haven’t been accessed in years.
“NGP VAN confirmed that the accounts in the Rice documents were all old and currently inactive, with the last login for any of those accounts being in 2015,” the company said in an emailed statement.
As for Rice Consulting’s NAS, Hacken says that its access logs show activity by IP addresses from Turkey, South Korea and Thailand, as well as IP scanning services like GrayNoise.
“We suppose that NAS information could have been accessed by non-authorized and even malicious actors,” Hacken says in its blog post.
This isn’t the first instance of a private organization apparently exposing election-related information. In July, it was reported that hundreds of thousands of voters’ records were left exposed by a Virginia robocalling firm due to a misconfigured server.
Voter data can be coveted by malicious actors, with the possibility of trying to interfere in the voting process or using the data for identity fraud. A recent report from Anomali and Intel 471 showed that some people are crowdfunding to buy voter data off hacker forums. Voter registration information is often public information, but there are some restrictions to obtaining it.