The firm, called Hacken, claimed to have breached a storage device attached to the network of a Maryland-based consulting firm called Rice Consulting which public records show has provided fundraising services to several state-level candidates in Maryland.
Hacken, which runs a program through which “white hat” hackers can seek out bugs and be rewarded in cryptocurrency, said it notified Rice Consulting of the vulnerability. “White hat” hackers in the cybersecurity community sometimes probe for vulnerabilities to expose and secure them, rather than to access data for malicious purposes.
According to the firm, however, its team was able to gain access to a wealth of information that would be potentially useful to someone seeking to disrupt an election.
“Storage contained detailed information on each of the Rice Consulting client (past, current, and potential),” reads a post on the firm’s blog, “e-mail databases with details on thousands of fundraisers (phones, names, emails, addresses, companies), contracts, meeting notes, desktop backups, employee details, etc.”
The storage device had also been accessed, the firm said, by IP addresses from Turkey, South Korea and Thailand in the past year.
“We suppose that … information could have been accessed by non-authorized and even malicious actors,” the firm wrote.
Rice Consulting declined to comment to ABC New on the purported exposure of its vulnerability and would not identify its clients.
Election-security experts and cybersecurity professionals have repeatedly warned that there are many — often unexpected — ways to hack the U.S. election system.
“High profile targets like political parties, governments, and related organizations have to account for more digital attack surface than ever before,” said Ryan Kalember, senior vice president of cybersecurity strategy at cybersecurity firm Proofpoint, which provides cybersecurity and anti-phishing services to private and government clients. “Backups of sensitive data and files are frequently left accessible either carelessly or due to a lack of security expertise, and threat actors from nation states to garden variety cybercriminals are adept at finding and exploiting those exposures.”
According to Hacken, the “most significant asset available” was “access details” to a privately-owned voter database and web hosting service called NGP VAN, which houses information on Democratic voters nationwide for the Democratic National Committee. State parties and campaigns are granted limited access by the DNC to use the voter files within their states to conduct get-out-the-vote and fundraising activities.
“NGP VAN confirms that the accounts in the Rice documents were all old and currently inactive, with the last login for any of those accounts being in 2015,” a company spokesman told ABC News.
The DNC declined to comment. A source familiar with the issue said no DNC logins had been obtained and that NGP VAN access requires two-factor authentication.
If malicious actors were to access voter files like those reportedly accessed by Hacken, they could potentially manipulate the data in those files to sabotage fundraising efforts or use it to send targeted pieces of misinformation to potential voters.
The Democratic Party has steered campaigns toward best practices, and they can access a dashboard that provides them with suggestions of how to protect themselves, but Federal Election Commission filings show that surprisingly few campaigns have contracted with major cybersecurity firms and there’s an untold number of consultants who work for campaigns whose cybersecurity practices are difficult to assess.