In the biggest US voter data breach ever seen, the personal details of nearly 200 million Americans have been leaked online by a marketing firm working for the Republican National Committee.
Telephone numbers, home addresses, birth dates and political views were among the vast number of data sets left publically accessible on an Amazon cloud server.
With the high level of political tension in the United States, the exposure of the political biases of the majority of the country adds another level of severity to the exposure of personal information.
This colossal data breach stands as an alarming reminder to organisations of all sizes that security procedures must be practiced at all times. The catastrophic mistake also points towards human error again as a major cause of successful malicious cyber activity.
Sharing their thoughts on the data breach, a number of professionals within the industry have analysed the incident and given their key takeaways to prevent such events at a time when cyber awareness is most needed.
A Culture of Internet Security is Needed
David Navin, Corporate Security Specialist at Smoothwall:
“Just when you thought the political scene in America couldn’t become any more charged, a massive leak of nearly 200 million American electorate’s personal information has just been discovered. The root of the leak seems to have stemmed from a marketing company working for the Republican National Committee, who unintentionally dumped names, addresses, phone numbers and voter registration details on a publicly accessible server. What’s concerning here, is that this data was totally unprotected and unsecure while on the public database, able to be accessed by anyone with a link.
“This massive leak exposes – or has indeed already exposed – the vast majority of Americans to fraud and identity theft in a way never thought possible. This calls in to question the way in which companies are amassing personal data about millions of citizens without putting the right security measures in place. All data, particularly with information as sensitive as the one in question, must be stored securely with the most effective endpoint and network protection to prevent the information being accessible to anyone.
“As 95% of security breaches are caused by human error, it’s time every single company – from SME to political data firm – instils a culture of internet security. It can’t just be restricted to board level, but must trickle down to all employees to ensure they have the right training and are knowledgeable enough to protect data securely.”
The Cloud Does Not Magically Secure Data
Tim Erlin, VP at Tripwire:
“The average citizen likely doesn’t appreciate the level at which this kind of data drives the political process. This is a treasure trove of personal information that was sitting unprotected on the Internet.”
“The headline may be the discovery that this data was accessible, but the real concern is who accessed it previously without reporting the misconfiguration.”
“When data is simply left accessible, without basic, foundational security controls, there’s no hacking required to gain access.”
“The cloud may solve many problems, but it doesn’t magically secure your applications or data. Organizations need to ensure they’re implementing the same basic controls, regardless of where the systems reside.”
“Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.”
The Shared Responsibility of Cloud
Anurag Kahol, CTO at Bitglass:
“This incident serves to highlight the shared responsibility model of the cloud and reinforces the fact that while cloud applications themselves can be secure, it is up to enterprises to use the applications securely. In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively encrypted the sensitive voter PII, en route to the cloud. This would have ensured that even after unauthorised access, the data would have been protected.”
CIOs Should Understand Normal Behaviour
Matt Moynahan, CEO of Forcepoint:
“The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality – more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees. Regardless of whether organizations are securing data using on-premises or cloud-based technology, like in the case of Deep Root Analytics, organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property.
“They should look at people and protect against those behaviors that could result in the loss of valuable data or IP. Governments and corporations would make sustainable progress against these sorts of breaches only with a blend of human-centric security technologies, policies, cultural changes and intelligent systems that can observe cyber behavior and decipher intent.
“Enabling CISOs and CIOs to understand what the company-wide baseline for ‘normal’ behavior looks like could help to identify abnormal or risky behavior. That’s the only efficient way to proactively protect users, critical data and, most importantly, at the point at which they intersect – at the human point. Unless the security industry embraces this human-centric security approach, we’ll continue to spend more than 100 billions of dollars a year on protecting infrastructure when we should be focusing on understanding people’s behavior.”
Encryption is Vital…Especially with Public Cloud
Peter Carlisle, VP of EMEA at Thales e-Security:
“A breach of this scale that encroaches on impacts the lives of millions of citizens in the world’s largest economy is a reminder of the importance of the need to implement the appropriate robust cyber security measures to protect individuals’ personal data as well as data possessed by corporations and governments around the world.
“Organisations need to understand just how important implementing encryption is – especially when storing data in the public cloud. Anyone could have accessed citizens’ sensitive data as long as they had a link to it. The impact of this data breach could have been minimised if encryption was used to protect the data in the cloud, and the Republican Party were in control of the keys. With encryption, the information can be rendered useless to a hacker with malicious intent, even against the risks of human error.”
Companies Unconsciously Shooting Themselves in the Foot
Raj Samani, chief scientist and fellow at McAfee:
“Data is currently one of the world’s most valuable commodities and yet every day a data breach, leak or hack is reported. This latest leak is particularly alarming – due to both the vast quantity of information left unguarded and the nature of that data. As companies collect more and more data, they may be unconsciously shooting themselves in the foot in their efforts to be completely secure. Organisations often have too many tools operating in silo at once – and failing to communicate with each other.
“It is now not unusual for businesses to have over 10 security tools which require constant monitoring, meaning that human error becomes a key factor in the security of our data. Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they are always one step ahead.”
The views expressed by these professionals hammers home a message that is beginning to gain traction, that organisations must have top to bottom understanding and responsibility when it comes to cyber security. Cyber attacks are criminal, and not simply a problem for an IT department to wrestle with, the board must be aware, and so must be executives and other departments within the organisation.
For businesses in the UK and Europe this incident will undoubtedly prompt thoughts of the impending arrival of GDPR, and the crippling financial punishments that are set to be implemented in the event of blatant failure to protect important information. Another common message being shared within the tech industry is that data is now our most valuable commodity