AggregateIQ – a Canadian political advertising firm that played a role in the 2016 US election and the UK's "Vote Leave" Brexit campaign – left its applications and database credentials publicly accessible, security firm Upguard said on Monday.
There's no evidence that the exposed code or data was taken. Nor is there evidence it wasn't. It was simply left accessible to the public for an unspecified period of time.
In a phone interview with The Register, Chris Vickery, Upguard's director of cyber risk research, said AggregateIQ had installed a custom version of the open source GitLab software version control and collaboration system.
"For whatever reason, they configured it to allow registration of new accounts by the public," he said.
About a week ago, on March 20, Vickery found the code repo, hosted on a GitLab subdomain of AggregateIQ.com, gitlab.aggregateiq.com.
Accessing the URL allowed him to register simply by providing an email address. After that, he was able to see the firm's tools and data.
Calling in the Feds, although they may already know
Vickery said he informed federal authorities of his findings but declined to name the specific agency, per the agency's request. He also said he informed AggregateIQ, and the biz shut down access 11 minutes later.
Upguard suggests the material found – apparently used to support US Senator Ted Cruz's failed 2016 presidential campaign – raises questions about the firm's alleged ties to Cambridge Analytica, which received $5.8 million for services rendered from the Cruz campaign.
Cambridge Analytica, a UK-based data analytics firm, stands at the center of the current Facebook privacy scandal, a consequence of the biz obtaining about 50 million Facebook profiles from a researcher who took advantage of the social media site's former policy of letting app devs gather info on app users and all of their friends.
AggregateIQ has been linked to Cambridge Analytica in press reports; Cambridge Analytica CEO Alexander Nix (currently suspended after undercover video of him discussing his company's tactics) has acknowledged using AggregateIQ in the past to develop software applications.
A Guardian/Observer report from May 2017 alleges that Wylie, the whistleblower who helped bring the Facebook data scandal to the fore, brought AggregateIQ and Cambridge Analytica together.
The report asserts that at one point, AggregateIQ’s address and phone number were the same as the address and phone listed for SCL Canada on Cambridge Analytica’s website.
On Saturday, AggregateIQ issued a statement to distance itself from Cambridge Analytica and its parent company SCL and to assert that it has never knowingly been involved in illegal activity.
"AggregateIQ has never been and is not a part of Cambridge Analytica or SCL," the Canadian company said. "Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ."
Vickery expressed skepticism about AggregateIQ's disavowal of ties to Cambridge Analytica.
"I find it hard to believe that there would be such a non-relationship as they describe," he said. "I've seen compelling evidence to the contrary."
The clue's in the code
Upguard says it discovered "a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads."
The security biz also said it found various credentials, keys, hashes, usernames, and passwords to access AggregateIQ accounts, which would allow hackers who obtained the information to compromise accounts. Vickery clarified that the databases were not directly exposed.
"These are the tools used to interact with the data," he said. "These aren't the databases themselves."
Facebook's inflection point: Now everyone knows this greedy mass surveillance operation for what it isREAD MORE
The credentials to access the databases through these tools were available but he said he did not use them – using someone else's credentials to login without authorization carries a potential legal risk.
But, said Vickery, there's mention of the Republican National Committee and a significant data store. Upguard's post contains a screenshot of an application described at the Database of Truth that combines RNC data with state voter files, consumer data, third party data providers, and other sources of information. In theory, that database could contain information on millions of US voters.
Vickery said he is considering further posts about his findings but has yet to determine the details.
Asked whether it is aware of Upguard's findings, a spokesperson for the Office of the Privacy Commissioner of Canada sent in the following statement:
"What we can tell you at this point is that we have been in contact with our provincial counterpart in British Columbia, which has been examining matters related to AggregateIQ and our discussions with them are ongoing. We don’t have further information to share at this time." ®
PS: Cambridge Analytica has been accused of breaking US election laws in complaints filed to the US Federal Election Commission and Department of Justice.