Gigantic data leak: pretty much a national US voter database

aairfccha wrote:...available online with no protection whatsoever: a data set of nearly 200 million people containing rather private and personal information. Yikes!

In what is the largest known data exposure of its kind, UpGuard’s Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.

https://www.upguard.com/breaches/the-rnc-files

I highly recommend to read the entire article. For me, one alarm bell kept going off after the other.

Personal information about 2/3s of the population, how cute. That would almost certainly be an illegal database here.

USMA74 wrote:I not sure who did what to whom trying to influence the latest (2016) U.S. election cycle. I do know that what the media is trying to claim against Russia is exactly what the U.S. routinely does to other nations, e.g., influence their elections to help U.S. national interests. It is time for the American public to grow up and realize the nations do not have friends, they have national interests.

Yes, couple a months ago i read a list on what elections USA was KNOWN, as in confirmed one way or another, to have interfered with in the last 50 years... Over a hundred.

The list over suspected interference that were likely and had some kind of indication or nondefinitive evidence was several hundred more.

Dilandu wrote:Sigh. And they again would blame us, Russians for that.

"Stray cat abandoned her kittens - oh, Russians, what for you did it?!" (c)

Yes it is rather beyond pathetic isn't it.

It's sad how easily massmedia and politicians get away with it.

The steadily increasing witchhunt of the last one and a half decades is disheartening.

Tenshinai wrote:Personal information about 2/3s of the population, how cute. That would almost certainly be an illegal database here.

Maybe, maybe not. It should be but for comparison, isn't tax information officially public in Sweden?

aairfccha wrote:

Tenshinai wrote:Personal information about 2/3s of the population, how cute. That would almost certainly be an illegal database here.

Maybe, maybe not. It should be but for comparison, isn't tax information officially public in Sweden?

It is, but unless i misrecall, it's not freely available, you have to request a specific data to get it.

More importantly however in this case is PUL, Personal Information Law, which regulates what kind of databases about people is permissible and what kind of safeguards are the minimum requirements for such.

If for example a database includes information about how someone votes(or has stated to vote), then by default it is illegal as that is considered veeery naughty to register about people, or in other words, it breaches the vote secrecy which is held in very high regards here.

The very idea of registering yourself as voting one way or another is pure lunacy to most people here.

Also, PUL also regulates that any such database must be set up to contain the minimum amount of data that allows the database to perform its function, and also specifies what kind of functions are permissible and puts severe limits on how information can be shared, and usually it can only be shared freely in statistical form where any identifying features are gone.

I can almost guarantee that such a political database on people would be EXTREMELY illegal here.


And yes, this DOES also mean that government work is hampered by the same laws, because this regulation also means that different parts of the government are not allowed to compare their databases unless they have a specific criminal investigation that requires it to look at someone specific, no generalised scanning allowed without exceptional reason.

The various parts of governments falls under the same "minimum required to function" restriction and generally under the limits on information sharing, you can get information about a person if you have reason for it, or you can get anonymous statistics, but getting masses of names and information, nope.

Well, roughly at least, i think i wrote it correctly, but it's really not my area.

Peripherally on topic: Law and reality...

https://www.transportstyrelsen.se/sv/Om-transportstyrelsen/fragor-och-svar/#153857

Mediocre Google translation

Swedish Transportstyrelsen (DOT equivalent?) database outsourced to IBM, but without the required background checks on employees of IBM or subcontractors.

EDIT: This keeps getting better and better... by which I mean worse...
http://www.ibtimes.co.uk/keys-kingdom-leaked-by-sweden-exposing-millions-data-military-secrets-eu-secure-intranet-1631565

[...]

The leak occurred after the Swedish Transportation Agency (STA) decided to outsource its database management and other IT services to firms such as IBM and NCR. However, the STA uploaded its entire database onto cloud servers, which included details on every single vehicle in the country. The database was then emailed to marketers in clear text message. When the error was discovered, the STA merely sent another email asking the marketing subscribers to delete the previous list themselves.

[...]

Unfortunately, the STA's leaked database remains under management of the two foreign firms, even as the Swedish government continues to investigate the scope of the leak. Meanwhile, the leaked database may be secured in the fall, according to STA's new director-general Jonas Bjelfvenstam, Swedish newspaper Dagens Nyheter reported.

aairfccha wrote:Peripherally on topic: Law and reality...

https://www.transportstyrelsen.se/sv/Om-transportstyrelsen/fragor-och-svar/#153857

Mediocre Google translation

Swedish Transportstyrelsen (DOT equivalent?) database outsourced to IBM, but without the required background checks on employees of IBM or subcontractors.

EDIT: This keeps getting better and better... by which I mean worse...
http://www.ibtimes.co.uk/keys-kingdom-leaked-by-sweden-exposing-millions-data-military-secrets-eu-secure-intranet-1631565

[...]

The leak occurred after the Swedish Transportation Agency (STA) decided to outsource its database management and other IT services to firms such as IBM and NCR. However, the STA uploaded its entire database onto cloud servers, which included details on every single vehicle in the country. The database was then emailed to marketers in clear text message. When the error was discovered, the STA merely sent another email asking the marketing subscribers to delete the previous list themselves.

[...]

Unfortunately, the STA's leaked database remains under management of the two foreign firms, even as the Swedish government continues to investigate the scope of the leak. Meanwhile, the leaked database may be secured in the fall, according to STA's new director-general Jonas Bjelfvenstam, Swedish newspaper Dagens Nyheter reported.

Yeah, this all came about because of a blase attitude, sheer stupidity and the perceived need to get it done as quickly as possible.

When people from the start warns that there is a security problem and they are ignored because "they are making a big fuss about nothing".

Personally I would like to see all the responsible people go to jail, they basically committed treason by stupidity and stupidity has never been a valid defense.

Grauniad: weden scrambles to tighten data security as scandal claims two ministers

Sweden’s government has sought urgent assurances on data security from national agencies including the health, education and pensions services after a huge leak of private and sensitive information that has cost two ministers their jobs.

Amid reports by the Dagens Nyheter newspaper that confidential medical details were being handled by unscreened IT workers in Romania, the national broadcaster SVT said data outsourcing arrangements at six state agencies were being checked.

The Guardian view on a Swedish scandal: the precedence of privacy
Editorial: Governments forget at their peril that they must nowadays guard their citizens’ data as carefully as they guard their physical safety
Read more
The checks follow a cabinet reshuffle last week in which interior minister Anders Ygeman and infrastructure minister Anna Johansson both stepped down after what the prime minister, Stefan Löfven, called an “extremely serious” security breach.

Several ministers had known about the breach, which followed a botched 2015 data outsourcing contract between the national transport agency and IBM Sweden, for at least 18 months but failed to inform the prime minister, media reported.

[...]

Outsorcing, small state, savings for the taxpayer,... bla bla bla. Never forget: You get what you pay for.

aairfccha wrote:Peripherally on topic: Law and reality...

https://www.transportstyrelsen.se/sv/Om-transportstyrelsen/fragor-och-svar/#153857

Mediocre Google translation

Swedish Transportstyrelsen (DOT equivalent?) database outsourced to IBM, but without the required background checks on employees of IBM or subcontractors.

EDIT: This keeps getting better and better... by which I mean worse...
http://www.ibtimes.co.uk/keys-kingdom-leaked-by-sweden-exposing-millions-data-military-secrets-eu-secure-intranet-1631565

Oh it's much more fun than that. The previous rightwing government pushed through for outsourcing, including effectively lying about what the official research done about it wrote as its findings, which was essentially that some needed to LOOK for outsourcing alternatives at all rather than not, check if it was a viable alternative or not, but they specifically warned about the higher risk of information leaks, or the provider not being secured under the same level of law.

So, the lady that took over the job at Transportstyrelsen, she basically started her job with false information, and went through with the already finished plan...
A plan that was only there as a theoretical option.

And then when there's a mess, what happens? Oh yeah, the rightwing idiots, the ones actually responsible for creating the regulations, law and recommendations that caused it, they blame the current government which is a minority government that isn't even able to fix those things.

And now the leader of the largest opposition party has been KICKED out, in small part because of shenanigans like that.



However, to add a perspective to all this?
No data actually leaked. It was a fuckup that COULD have caused a major leak, but did not.

Outsorcing, small state, savings for the taxpayer,... bla bla bla. Never forget: You get what you pay for.

Oh, there's plenty of people here well aware of THAT!
And without the multiple vectors convering in a fuckup, they would simply have outsourced to for example the company where my brother managed perfect seucurity and 100% uptime for over 15 years, all his time in that position.

Would have been easy, they were already servicing over 10k client systems and a halfdozen intranets, with the most hardcore security requirements possible.

And the people i know in Transportstyrelsen, well, lets just say that there was a lot of "i tooold you so" and facepalming going on there this year.

Tenshinai wrote:...available online with no protection whatsoever: a data set of nearly 200 million people containing rather private and personal information. Yikes!
[SNIP]
Personal information about 2/3s of the population, how cute. That would almost certainly be an illegal database here.

RNC is a private non-profit organization, not a government one. NGOs are not as restricted by the constitution as the real govenment is about access and storage of private info. Google, Verizon, AOL etc made sure of that. Too much money in data mining.