The recent news about a data firm accidentally leaking personal details of voters plays right into the drama of election cycle and political climate filled with leaks and cybersecurity concerns.
However, this leak also shows just how vulnerable we all are when our personal information is entrusted – knowingly or not – to a third party. I had no idea that so much information about my life, and the lives of my family members, was in the hands of a company called Deep Root. I’m not surprised, but that’s another issue.
What’s making our personal information so vulnerable? It’s how it is stored and how that storage method is protected. In this case, Deep Root’s basic cloud security protocols were a complete fail, as eWeek explained:
The data was exposed following a software upgrade, when the company forgot to turn on the password protection again. . . . Yes, that’s right. Deep Root protected a data store with highly proprietary data belonging to the RNC using simply a password. That was it. There was no attempt to logically separate the names of the voters from their information—something that could be done easily because each item had a unique RNC ID number.
You’d think that after all the news about the DNC’s hacked and released emails and Russia infiltrating voter software and manipulating elections, the RNC would have made sure it stepped up its own security. And the implications of this hack are even greater than any of the politically charged situations that came before it. Half of the American populace just had very sensitive data exposed, by its own poor security practices. As Tim Erlin, VP of product management and strategy at Tripwire, told me in an email comment, this information was a treasure trove unprotected on the internet, no hacking required to get to it. He added:
Any organization that is managing sensitive data, especially in the cloud, should look at this incident as a wake-up call. Executives should ask themselves if this kind of incident could occur inside of their organization, and then they should follow-up by asking exactly how it would be prevented.
Thanks to Big Data, thanks to there being so much information about everyone so readily available, it is getting more difficult to properly protect critical information. Part of the challenge, Terry Ray, chief product strategist at Imperva, told me in an email comment, is volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Yes, absolutely. Many organizations simply don’t have the capability to keep up.
But in this particular situation – and many other incidents of data leaks – the problem comes down to basic security practices. It doesn’t matter how great your security system is if one person doesn’t apply a basic security procedure or people within the organization aren’t taking steps to ensure that the information is well-protected, like, in this case, using multi-authentication measures.
Deep Root will and should be adversely affected by this event, and dare I say, its incompetence. But the real losers, yet again, are all of us, who have no control over who has our information and how well they are securing it.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba