The Voter Database Leak

The news this past week included another major data breach.  This time, it was a database that included 198 million voter records.  1.1 terabytes of personally identifiable information of American voters, including their names and addresses and rankings of their political leanings.  The database was assembled by a political consulting company named Deep Root Analytics.  The exposure of the data was discovered by a cybersecurity consultant named Chris Vickery.

Cloud Isn’t Automatically Secure

Though much of the attention has been focused on the exposure of the records, I would argue that’s not the most significant aspect of this story.  Much of this voter data is available in the public domain via government agencies.  I would argue that the more important piece of this story is how Deep Root Analytics was negligent in their use of the cloud.  In that sense, it can provide a good lesson for business owners moving to the cloud.  Deep Root had their database on AWS and, following a settings update on June 1, had it exposed to public access for 12 days.  It was only discovered by a third party, who responsibly notified Deep Root.  

Databases with sensitive (often customer) data are going to continue to be put on the public cloud.  And that’s not a problem in and of itself.  It’s also not unjustified for these cloud vendors to argue that they have a high-level of available resources to make this data secure.  The key point is that if your business is going to make use of public cloud, your team has a responsibility to make use of these security features.  They’re not automatic.  So have a security (and redundancy) protocol in place when making your move to the cloud.  The decision isn’t about whether the cloud is safe or not.  Once you’ve decided on the cloud, the decision is about how safely you engage it.  That’s your (and your cybersecurity partner’s) responsibility.