A political campaign group working to elect Democratic senators left on an exposed server a spreadsheet containing the email addresses of 6.2 million Americans.
Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate.
Following the discovery, UpGuard researchers reached out to the DSCC and the storage bucket was secured within a few hours. The researchers shared their findings exclusively with TechDap and published their findings.
The spreadsheet was titled “EmailExcludeClinton.csv” and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010 — a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state.
UpGuard said the data may be people “who had opted out or should otherwise be excluded” from the committee’s marketing.
Stewart Boss, a spokesperson for the DSCC, denied the data came from Sen. Hillary Clinton’s campaign and claimed the data had been created using the committee’s own information.
“A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place,” he told TechDap in an email.
Despite several follow-ups, the spokesperson declined to say how the email addresses were collected, where the information came from, what the email addresses were used for, how long the bucket was exposed, or if the committee knew if anyone else accessed or obtained the data.
We also contacted the former DSCC staffer who owned the storage bucket and allegedly created the database, but did not hear back.
Most of the email addresses were from consumer providers, like AOL, Yahoo, Hotmail and Gmail, but the researchers found more than 7,700 U.S. government email addresses and 3,400 U.S. military email addresses, said the UpGuard researchers.
The DSCC security lapse is the latest in a string of data exposures in recent years — some of which were also discovered by UpGuard. Two incidents in 2015 and 2017 exposed 191 million and 198 million Americans’ voter data, respectively, including voter profiles and political persuasions. Last year, 14 million voter records on Texas residents were also found on an exposed server.
Although the DSCC’s data exposure contains less damaging information than similar exposed sets of voter data, it represents another embarrassing lapse around political campaign data security.
“This list contained only email addresses, but other political data sets contain far more information on individuals, down to psychographic information such as their habits, behaviors, and likely beliefs,” said UpGuard. “The same things that make this data valuable to political campaigns makes it valuable to malicious actors — intel on individuals that can be used to contact and influence them.”
“If political data can be exposed for ten years, the risk created by that data has an unknown half-life,” the researchers said.