This article is more than 1 year old
Someone's in hot water: Tea party super PAC group 'spilled 500,000+ voters' info' all over web
Leaky AWS S3 bucket fingered by infosec bods
Now, now, America. Don't go overboard. Again.
More than half a million folks' names and phone numbers, plus other sensitive files, were accidentally spilled onto the internet by a misconfigured server operated by the Tea Party Patriots Citizens Fund, it is claimed.
That fund is a Republican super PAC that campaigned in the 2016 presidential elections, backed Alabama’s Roy Moore and New Jersey’s Jay Webber, and supported other rightwing activities. As a political action committee, its job was to raise money from supporters, call people to swing their vote to Donald Trump, run ads, push conservative agendas, and so on – ultimately helping the biz celeb win the White House race.
According to infosec biz Upguard earlier today, the fund exposed names, contact numbers, states of residence, and voter ID numbers for more than 527,000 people, as well as strategy documents, marketing assets, and other files used to fire up voters to the open internet. Specifically, the 2GB of data was left in a, you guessed it, misconfigured Amazon Web Services S3 bucket, it is claimed.
The storage silo was writeable as well as readable, meaning anyone looking in the right place could have downloaded and tampered with the documents and database. Most of the voters listed were in Pennsylvania, Florida, Texas, Montana, and New Jersey.
Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning lightREAD MORE
The datastore – labeled "tppcf" – was, we're told, found by Upguard on August 28. and reported to the fund. The bucket was closed up by October 1, leading to Upguard going public with its discovery today.
The AWS bucket contained, among other things, marketing and strategy blueprints, scripts for calls, sample letters to businesses and editors, taxation talking points, and an internal report detailing the success of Trump's victory.
It appears the fund used an outfit called L2 Political to identify and target Americans who would likely vote for Trump. That same organization worked on Barack Obama’s 2012 reelection campaign; gathering intelligence on people and exploiting it to win votes is common among today's political heavyweights. The fund credited this political data analysis for helping it pound the streets effectively to secure votes for their Republican candidate.
"As valuable as this data might be to political parties and the companies who profit from its sale, like any modern dataset, it is also subject to the inherent risks of the infrastructure on which it lives," Team Upguard concluded.
"In this case, an Amazon S3 storage bucket was misconfigured to allow any anonymous user not only the ability to read files, but to modify or delete them as well, an especially dangerous scenario."
A spokesperson for the fund was not available for immediate comment. ®