News reports are surfacing about a huge voter records leak in the US. According to reports, personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an insecure Amazon server.
Itsik Mantin, director of security research at Imperva, said: “From the public information available, it seems that the voter database was found in a place where anyone from any point in the virtual world can access it.
"It is not the first time that a security researcher scanning the data buckets of cloud storage services has found that a significant portion of them are insecure, and that a significant portion of these contain personal data or sensitive business data. What’s unique in this event is the quantity and the sensitivity of the data that was kept negligently.
"The Artificial Intelligence era we’re living in, with AI solutions flourishing in almost every domain, is also the data era, as data is the material from which AI is made. In the data era, you collect what you can, store what you can, either for using it today for a specific purpose, or for using at some point in the future for a yet-to-be-known purpose, using a yet-to-be-developed algorithm.
"In this era, organisations find the task of controlling business critical data harder than ever, tracking the number of places where it is stored and cloned, as well as control of who accesses the data - when, why and for what purpose, legitimate or not. And even the organisation that builds the perfect data security solution, monitoring, analysing and assessing every data access, loses control when disclosing sensitive data to partners or customers, or even when one of its users decides to leak this data for ideological, financial or any other reasons.”
Terry Ray, chief product strategist at Imperva, added: “This was less a leak, but was rather an identified exposed server. From the information provided, the data is not known to have been stolen necessarily. It sounds to me that this is another case of incorrectly secured cloud based systems.
"Certainly, security of private data - especially my data, as I am a voter - should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.
"With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there’s also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.
"Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds.
"The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.
"There’s also the challenge presented by the lack of security knowledge and understanding in the people working most closely with the data: data scientists and developers. Data scientists, with their skills and experience working with structured and unstructured data to deliver new insights, don’t necessarily think about the security of the data. It’s not surprising given that new technologies have encouraged data scientists to view big data as a giant sandbox where they are the owners and can decide how the data will be used.
"While most development projects rely on access to non-sensitive, test data instead of live, production data, big data application development by its nature often falls outside of the more secure processes set up within IT. With higher-access privileges than many others in the organisation, developers also present a greater security risk either through accidental means or malicious intent.
"The number and breadth of data breaches continues to grow, therefore it is crucial that everyone understands and prioritizes implementing better security for big data.”
Robert Capps, VP of business development at NuData Security, said: “This is a serious data leak, which allows nation states to target ordinary US citizens for additional attacks and surveillance, as well as detailed voting information. If this wasn't bad enough, this highly detailed data could potentially be combined with stolen personal data from other data breaches already available on the dark web to create rich profiles of these individuals.
"Such profiles can be leveraged by cybercriminals and nation-state actors to not only track voting habits, but also use their identities for account takeovers, apply for new credit, and much more. The members of the electorate involved in this incident should immediately request a credit freeze with the major credit bureaus, and keep close track of account activity through commercial credit monitoring services, or monitoring of their own accounts.”
Tim Erlin, VP at Tripwire, who believes basic security controls were not followed, said: "The average citizen likely doesn’t appreciate the level at which this kind of data drives the political process. This is a treasure trove of personal information that was sitting unprotected on the Internet.
"The headline may be the discovery that this data was accessible, but the real concern is who accessed it previously without reporting the misconfiguration. When data is simply left accessible, without basic, foundational security controls, there’s no hacking required to gain access.
"The cloud may solve many problems, but it doesn’t magically secure your applications or data. Organizations need to ensure they’re implementing the same basic controls, regardless of where the systems reside.
"Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented."