Political committee left 6.2 million email addresses exposed for 9 years
The damage is limited, but it's still a serious slip-up.
It's all too common for organizations to leave sensitive data exposed on their servers, but the latest incident might leave some scratching their heads. UpGuard discovered that the Democratic Senatorial Campaign Committee left about 6.2 million email addresses exposed in a badly configured Amazon S3 cloud storage bucket since 2010 -- yes, nine years ago. The data file was apparently meant to exclude people from the DSCC's marketing emails during Hillary Clinton's Senate tenure. Most of them were clearly personal addresses, although there were thousands of .gov and .mil addresses as well.
The data didn't include anything more than the email addresses, so the potential for abuse was relatively small. However, it's concerning that the S3 bucket gave everyone "full control," letting people not only modify the list but change access permissions.
The DSCC locked down its cloud storage within hours of UpGuard reporting the finding on July 26th. It's not clear if anyone outside of the DSCC had accessed the data before the discovery.
Whatever happened with the email list, the incident highlights how online campaign security has changed (and not) over the past several years. Official weren't as acutely aware of the digital threats from Russia and other hostile actors, not to mention the overall consequences of leaving databases vulnerable -- now, even a 'modest' failure like this considered problematic. With that said, there are still gaping security holes in the US political system, and it's concerning that the DSCC didn't catch this mistake on its own.
