Contractor's 198M Voter Data Breach Exposes Third Party Risk (Corrected)

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

A Republican National Committee contractor's data breach that led to the exposure of 198 million voter files highlights the third-party vendor data security risks faced by companies and organizations, the company that discovered the breach told Bloomberg BNA June 19.

The data breach, first discovered by UpGuard Inc., compromised a repository of the personal details and political stances of 198 million U.S. citizens, the company said in a statement. The voter information data breach was due to “a misconfigured database owned by a third-party vendor hired by the RNC,” it said.

The contractor data breach serves as a reminder to businesses of the cybersecurity risks posed by third-party vendors, which more companies are relying upon to protect information as they move their data to cloud storage.

Mike Baukes, CEO of UpGuard, told Bloomberg BNA June 19 that the exposure of the voter data is “another example of third-party risk becoming problematic.” He said such breaches are preventable and often caused by “human error.”

Although the matter was “quickly resolved,” the data was exposed for “10-14 days,” and it is difficult to determine whether other groups or cybercriminals had access to the data during that time, Baukes said.

The third-party vendor involved in the breach, Deep Root Analytics, said in a June 19 statement that it is aware of the breach and accepts “full responsibility.” Changes to the company's security protocols June 1 led to the voter-data access, it said. The company has since updated its security settings.

Third Party Data Security

The contractor breach is one in a string of breaches over the past few years that have been connected with the data security of a third-party vendor.

For example, the Target Corp. breach that exposed as many as 60 million customers’ payment card data during the 2013 winter holiday shopping season has been attributed to a third-party vendor’s weak data security measures. More recently, the hack that led to the theft of Netflix Inc.'s ‘Orange is the New Black’ before its scheduled release date was attributed to a breach at Larson Studios, a post-production company.

John Suit, chief technology officer and cybersecurity professional at encryption solutions company Trivalent, told Bloomberg BNA June 19 in an email that the breach is “another example of data protection” not reaching needed levels in a growing online world. Companies must be cognizant of risks “posed by employees, vendors, contractors and partners, or next generation threats like ransomware,” he said.

A RNC spokesman told Bloomberg BNA that it “has halted any further work with the company pending the conclusion of their investigation into security procedures.” The RNC requires its third-party vendors to take “the security of voter information very seriously,” the spokesman said.

(The story has been corrected throughout to show that the data breach affected databases maintained by a third-party contractor, not to a RNC database.)

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security