UPDATED 22:24 EDT / JULY 18 2018

INFRA

Robocall company exposes voter records via misconfigured Amazon cloud instance

Everybody hates robocalls. Now there’s a new reason to hate them, after one leading company exposed voter information online via an unprotected Amazon.com Inc. cloud storage instance.

The latest entry in the cloud misconfiguration hall of shame comes via Kromtech Security’s Bob Diachenko, who discovered that Virginia-based political campaign and robocalling company RoboCent Inc. had exposed 2,594 files that included audio files with prerecorded political messages for robocalls and voter data.

The voter data consisted of personally identifiable information, including:

  • Full Name, suffix, prefix
  • Phone numbers, both cell and landlines
  • Address with house, street, city, state, zip, precinct
  • Political affiliation provided by state, or inferred based on voting history
  • Age and birth year
  • Gender
  • Jurisdiction breakdown based on district, zip code, precinct, county and state
  • Demographics based on ethnicity, language and education

Although not providing a total number of records exposed in the files, ZDNet pegged the number of voter records in the hundreds of thousands.

Although voter records in particular are publicly available, some states prevent the data from being used for commercial purposes.

Diachenko noted that he contacted the company before going public to get it to secure the data, which the company did. But it’s not clear whether the data had been accessed prior to that, particularly given that the data had been cached by sites such as Grayhat Warfare that scrape cloud storage instances such as those on Amazon Web Services’ S3 service.

Sam Bisbee, chief security officer at Threat Stack Inc., told SiliconANGLE that voter data is extremely sensitive. Leaks such as this “highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information,” he said. “It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time.”

Bisbee noted that “many companies have critical AWS cloud security misconfigurations” because it’s an easy mistake to make. “AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility,” he said. “Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”

Photo: Tom Arthur/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU