The headlines scream of how the Republicans’ data analytic contractor, Deep Root Analytics, had stored 25 terabytes (TB) of data stored in the cloud, of which 1.1TB were available for harvesting by anyone who found the links.
The exposed data put the personal identifying information (and more) of approximately 200m registered voters in the United States at risk. Kudos to security researcher Chris Vickery, who discovered the misconfigured data store of Deep Root on 12 June.
According to Gizmodo, the window of exposure for the Deep Root data was from June 2 through June 14. Deep Root’s CEO Alex Lundry said:
We take full responsibility for this situation … since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.
Many important themes percolated to the top because of this incident.
The first is the confirmation that the age of big data is upon us. These companies (of which Deep Root is but one) are collecting information on each one of us from a disparate array of sources, collating the information and then regurgitating the information in a manner most useful for their client. Marketeers everywhere no doubt let out a “holy moly” and the wheels were turning on what they could do with this level of granularity about their customer/clients.
The second is the realization by the privacy advocates that the amount of information that is readily available via public or proprietary sources has rendered transparent the veil of privacy we each wear. We may be well beyond the tipping point of individual data privacy.
The third is secure data in the cloud is only secure if you secure it. Few take the time to ensure that the data they heave by the terabytes into the cloud are adequately protected. Deep Root used Amazon Web Services (AWS) for storage. It is the mighty behemoth of data stores. As such, AWS goes to great pains to ensure data can (important qualifier) be stored there securely.
According to a survey by Threat Stack, 73% of companies (out of 200 companies surveyed) had security misconfigurations within AWS that would leave “SSH wide open to the internet”. The same survey found that 62% of companies were not using multifactor authentication for users accessing AWS data stores.
As the survey above indicates, Deep Root isn’t the first and probably won’t be the last to not configure their cloud storage security protocols correctly.
We say it a lot, but it clearly requires saying – it’s important not to expose sensitive data to the world.
In defense of AWS security, it’s made easy, but it isn’t automatic. AWS first of all provides a plethora of very exact advice on how to secure your data in their cloud on its security page: AWS Security.
For those not inclined to roll up their sleeves into the world of data security, AWS wisely opened its infrastructure to their partner network. The partners provides a leg-up to those who want to use AWS but haven’t the security acumen: these products complement the existing AWS services to help you deploy a comprehensive security architecture. Sophos, via the Universal Threat Management Protection service offers a layered security solution for AWS.
Deep Root had clearly understood the need to secure data: 24TB of the 25TB were not visible to the rest of the world.
Yes our privacy is at risk, yes the GOP had of data and analysis available (don’t be surprised when we learn that peta- or exa-bytes of data are available, but secured), and an unsecured data store will be discovered by a data researcher (if you are lucky) or a cybercriminal with a script and incentive (if you have no luck).
2 comments on “Deep Root: what can we learn from the GOP’s data leak?”
Thanks, cloud! No, it’s not as secure in every way as on-prem systems.
Maybe, we can learn that programming Amazon’s “Make Public” button without any regard to confirmation, file inheritance, security or training is a bad idea? Perhaps the same people who don’t think a Save button is necessary (i.e. MAC OSX).