A consulting firm that works with Democratic campaigns unknowingly left sensitive fundraiser information and credentials to old voter record databases open on the internet, according to a report published on Wednesday. Cybersecurity company Hacken says it discovered an unprotected network-attached storage (NAS) device managed by Rice Consulting, a Maryland firm that provides fundraising and mass communication to Democratic clients. Authentication was reportedly disabled on the NAS, and Hacken says that it was indexed by Shodan, an Internet-of-Things search engine. With its contents publicly accessible, the NAS revealed details about Rice Consulting’s clients as well as details about “thousands of fundraisers,” Hacken says. Those details include names, phone numbers, emails, addresses and companies. There were apparently also contracts, meeting notes, desktop backups and employee details. Rice Consulting did not respond to an email request for comment on the Hacken report. When CyberScoop called the firm, the person who answered said “There’s no one here who can tell you anything,” and hung up.
Hacken said it tried contacting Rice Consulting, initially to no avail. The company also reportedly did not respond to emails and hung up when Hacken called.
“Finally, on October 18, public access to NAS device and sensitive files has been disabled and we received a ‘thank you’ note from Rice Consulting,” Hacken said. “With so many unreliable emails floating around, sometimes it is difficult to discern what is legitimate and what is not. Nevertheless, it’s not so hard to at least answer a call.”
Hacken also said that it found unencrypted spreadsheets full of credentials to databases managed by a company that collects voter information and provides technology services for Democratic campaigns. The company, NGP VAN, said that the databases in question were outdated and haven’t been accessed in years.
“NGP VAN confirmed that the accounts in the Rice documents were all old and currently inactive, with the last login for any of those accounts being in 2015,” the company said in an emailed statement.