US Democratic Party’s fundraising firm accidentally exposes sensitive data online

• The data leak occurred due to an unsecured Network Attached Storage device.
• The device contained information such as fundraisers’ phone numbers, names, emails, addresses, as well as contracts, meeting notes, desktop backups, and more.

An unsecured Network Attached Storage (NAS) device at Rice Consulting, a Maryland-based fundraising firm exposed the company’s data online. One of the firm’s clients is the US Democratic Party, which was also impacted by the breach.

The data exposed includes passwords of the databases that are used to store voter records. The unprotected NAS device also contained information such as fundraisers’ and clients’ phone numbers, names, emails, addresses, as well as other information such as contracts, meeting notes, desktop backups, employee details and more.

Bob Diachenko, the director of cyber risk research at Hacken.io, discovered the data leak during a cursory Shodan search. The researcher highlighted that the passwords to the database resources that were available to the public.The exposed data included sensitive information of NGP Van Inc. - a privately owned voter database used by the Democratic Party. All the passwords were stored in an unencrypted format.

“The most significant asset available for public was passwords to database resources, including access details to NGP — a privately owned voter database and web hosting service provider used by the American Democratic Party, Democratic campaigns, and other non-profit organizations authorized by the Democratic Party, MDVAN —Maryland Voter Activation Network, DLCC —Democratic Legislative Campaign Committee, and DNC — Democratic National Committee) email accounts. All of those were stored in an Excel file non-encrypted,” Diachenko said in a blog post.

Apart from the details related to fundraisers, the security expert also found access logs for the exposed NAS. He also discovered that the first connection to the device was made on February 22 and since then it has been accessed through various IP addresses spread across several countries. This indicates that the data exposed may have been accessed by multiple third-parties.

“Access log (also available among other files in storage) shows first connections made to the NAS on February 22. It includes IPs from Turkey, South Korea, Thailand among others: scanning engines IPs, like Greynoise, are also there. We suppose that NAS information could have been accessed by non-authorized and even malicious actors,” Diachenko explained.

The security expert said that he informed Rice Consulting as soon as he discovered the breach. Although the company didn’t respond to the matter quickly, Diachenko says that on October 18, all the access to the unprotected NAS device was disabled.