Republican polling firm's database was hacked, exposing donor records

The data was stolen just after the 2016 election, the polling outfit confirmed.
Written by Zack Whittaker, Contributor

(Image: file photo)

A Republican phone polling firm has been hacked, exposing data on hundreds of thousands of Americans who submitted donations to political campaigns, ZDNet has learned.

Several database files, one of which totaled 223 gigabytes in size and amountied to about two billion lines of data, was stolen in January from Victory Phones, a Grand Rapids, MI-based automated phone research and data compilation firm.

Victory Phones carries out polling on behalf of Republican candidates, which have spent hundreds of thousands of dollars on predicting the outcomes of political campaigns. The company uses phone calling to conduct polls on massive scales and flood the Republican voter base with "get out to vote" phone calls. The company also allows campaigns to carry out political fundraising.

It's thought that the stolen database primarily related to individual donations made to political campaigns, given the types of information found in the database.

According to public records, the company gave $207,602 to a campaign by Rand Paul (R-KY) and $79,646 to Martha Roby (R-AL). The company also gave $103,977 to the Republican Party of Michigan, where the company is located, and $64,229 to the Republican National Committee, among others.

The data contained 166,046 unique email addresses, according to Troy Hunt, who runs data breach notification service Have I Been Pwned, who was sent a copy of the database.

The data contains names, postal and email addresses, phone numbers, genders, and donation amounts.

Hunt also reached out to several individuals whose data was found in the files. All of those who responded confirmed that they recognized their data when it was supplied to them.

One file contained employee usernames, and hashed and salted passwords, postal addresses, and the IP addresses of where users logged in from.

When reached, the company's chief executive David Dishaw wouldn't comment on the data's "veracity or validity."

He added: "We can confirm that in early January 2017, we were one of tens of thousands of users whose MongoDB instance was hacked. We received no ransom note or communication regarding this intrusion, in the immediate aftermath, or up until even now. We took steps to enhance the security of our data, and notified our users at that time of the breach. We will continue to keep them up to date as we come into any information that is relevant."

The breach lines up with a wave of attacks against 27,000 unsecured MongoDB databases which were stolen and ransomed early this year. Many of the poorly configured databases contained no password, and would be accessed and downloaded by hackers, who would then replace the databases with a ransom note.

At the time of writing, a server belonging to the company with an open database port is still indexed on Shodan, the search engine for unprotected devices and databases.

The breach may not be significant in terms of numbers of individuals affected compare to other breaches of voter information -- much of the data is already public on the Federal Election Commission's website. But the hack represents yet another data exposure at a time of heightened concern about election interference.

"We saw a lot of compromised MongoDB instances in late-2016 and early 2017," said Hunt, in an email to ZDNet.

"There's no sugar-coating that it only happened because organisations put their databases in publicly facing network segments and left them entirely unprotected without so much as a password," he said.

"This is yet another reminder of how much data is out there circulating around the web, often from incidents some time ago," said Hunt. "It also reminds us that even when the organisations charged with protecting the data lose it and realise their mistake, there's still no guarantee that the owners of the data will ever hear about it."

Hunt added that 75 percent of email addresses were already in Have I Been Pwned's database.

Editorial standards