June 22, 2017

The RNC Data Breach: Important Lessons Learned the Hard Way


Even as data breaches go, this one was ugly.

Deep Root Analytics, a data analysis firm hired by the Republican National Committee to profile voters during the 2016 presidential campaign, left sensitive information on nearly 200 million American citizens on an unsecured web server. The data—more than a terabyte in all—included potential voters’ home addresses, phone numbers, and birthdates, as well as details on their religious preferences and ethnic backgrounds. Anyone with the URL for the server could download the files without needing to enter so much as a password.

Unsurprisingly, a class action lawsuit against Deep Root was in the works less than a week after the breach was announced. More lawsuits will undoubtedly follow, and many analysts expect that Deep Root ultimately will be forced out of business, unable to survive the combination of legal trouble and bad publicity.

The damage won’t end there. Even though Deep Root is to blame for the breach, the negative consequences will attach themselves to the RNC, along with the companies who helped collect the data Deep Root failed to protect. Not only are millions of Americans angry that their personal information has been exposed, the mishandled files may now be in the hands of groups who will find ways to exploit the data and the proprietary methods used to develop it.

Large scale data breaches like this will only become more common as enterprise datasets grow larger and cloud services continue to replace on-premise IT architecture. However, the RNC breach contains a few key lessons that other organizations can use to keep themselves off the list of high-profile data breach victims.

More Parties = Less Control

The RNC voter database was a joint effort involving at least two other data firms—TargetPoint Consulting and Data Trust—in addition to Deep Root Analytics. While these other companies may have kept their own work safe, and the RNC itself may have used proper controls, those efforts counted for nothing after the failure of the weakest link in the chain.

When organizations rely on consultants, business partners, and other external parties to collect, store, or process sensitive information, they lose the ability to control where the information will travel. The only way to keep data secure is to protect it with persistent encryption before exchanging it with external partners or moving it to the Cloud.

Cloud Security is Not Enough

Cloud service providers go out of their way to assure customers that their data is safe. Amazon Web Services, the vendor that hosted the Deep Root files, provides extensive information on the multiple layers of protection and control it makes available to help companies manage their files. Unfortunately, as the Deep Root breach illustrates, all it takes is a single human error to negate the effectiveness of identity management protocols and access controls.

Once the files were in an unsecured folder, anyone with an internet connection could have accessed them. We may never know how many people found and downloaded the files before a security analyst named Chris Vickery discovered the breach and reported it to authorities.

Cloud storage services may indeed be more difficult to hack into than a typical corporate datacenter, but hacking isn’t necessary when organizations put their data in the wrong place.

Unencrypted Data is Never Safe

No one at the RNC, Deep Root, Data Trust, or TargetPoint ever expected that the voter database would become the subject of national headlines. The size, sensitivity, and value of the data should have been enough to ensure that it received maximum protection from cybersecurity threats. In reality, internal controls were not enough to keep the data where it belonged, and the breakdown became a catastrophe because Deep Root had also neglected to apply the strongest and most reliable form of data protection: encryption.

If the voter data had been encrypted, it would have made no difference that someone at Deep Root placed it on an unsecured server. Unauthorized users who downloaded the files would be spending a few days and a terabyte of bandwidth to steal information they had no chance of ever reading or using. Chris Vickery would have had nothing interesting to report when he investigated the server, and the RNC would be able to continue to use its $5 million voter database in peace.

If your organization keeps sensitive information in the Cloud, find out how PK Protect can keep your files safe from unauthorized users and keep your company safe from the negative consequences of a data breach. Request a free demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024