Data leak at consulting firm handling fundraisers for the Democratic party

Exposed data includes information on thousands of fundraisers and even credentials for databases of voter records.

A Maryland consulting firm that handles political fundraisers for the Democratic Party has left fundraiser data and passwords to databases storing voter records exposed online via an unsecured network attached storage (NAS) device.

The exposed data was found last week by Bob Diachenko, Director of Cyber Risk Research at Hacken, a cyber-security research firm, during a cursory Shodan search.

Diachenko tracked down the exposed NAS to Rice Consulting, a consulting firm that claims to have raised over $4.32 million over the 2017 fundraiser season for Maryland Democrats.

The NAS, which was left exposed online without a password, contained detailed information on Rice Consulting clients, including in-depth details on thousands of past fundraisers.

Exposed information, Diachenko says, included names, phones, emails, addresses, contracts, meeting notes, and more. The server also contained internal Rice Consulting data, such as desktop backups, employee details, and other IT-related info.

The Hacken researcher says the "most significant asset" found on the NAS was a collection of username and password combos for NGP accounts.

NGP is a privately-owned voter database used by the American Democratic Party. These credentials supposedly granted access to NGP accounts created on a per-fundraiser basis. The accounts, in turn, supposedly allowed access to voter records used for those respective fundraiser campaigns.

ngp-logins.png
Image: Hacken

To make matters worse, Diachenko also found access logs for the exposed NAS and identified IP addresses from several countries accessing the device since at least February 22.

"We suppose that NAS information could have been accessed by non-authorized and even malicious actors," Diachenko said in a report published earlier today.

The researcher also said that getting the consulting firm to secure its device was also a problematic process. Rice Consulting did not reply to emails or phone calls from Diachenko and other researchers and journalists he enlisted to help.

The company did secure its NSA device on October 18, when it also sent Diachenko a short "thank you" note via email.

A CyberScoop reporter managed to get a lengthier reply during a phone call when a Rice Consulting employee said "there's no one here who can tell you anything," and then proceeded to hang up the phone like it did to Diachenko and the others.

RELATED COVERAGE: