Rice Consulting, a fundraising company that worked with the Maryland Democratic Party, publicly exposed a vast database of sensitive information via a Buffalo TeraStation NAS which allowed unauthorized access.
The misconfigured Network Attached Storage was found by Hacken's cyber risk security team on October 17, and it was quickly quite evident that the leaked database was leaked online by Rice Consulting, a Democratic fundraising firm.
As detailed on Rice Consulting's website, they work with "the Maryland Democratic Party as well as countless Statewide, General Assembly, County, and local elected officials and candidates."
According to NAS' access logs found by Hacken, the leaked information was accessible since February 22, 2018, which allowed multiple actors from all over the world (e.g., South Korea, Turkey, and Thailand) to connect to the server and access the data for roughly eight months.
Although there was no evidence of malicious activity at the time, Hacken's team does mention the fact that the "NAS information could have been accessed by non-authorized and even malicious actors."
The most important info found by Hacken on the NAS were database passwords, "including access details to NGP — a privately owned voter database and web hosting service provider used by the American Democratic Party, Democratic campaigns, and other non-profit organizations authorized by the Democratic Party, MDVAN —Maryland Voter Activation Network, DLCC —Democratic Legislative Campaign Committee, and DNC — Democratic National Committee) email accounts."
The misconfigured NAS server was publicly accessible for about eight months, since February 22
The worst part is that all the passwords found on the misconfigured NAS server were not encrypted and stored within an Excel spreadsheet document that would allow potential adversaries to steal all of it in a matter of seconds, without the need of specialized decryption or exfiltration tools.
Hacken's team also discovered that the database exposed to unrestricted public access contained client information with data of thousands of fundraisers and large amounts of private information, from phones and names to addresses and personal emails.
Furthermore, the information Rice Consulting made publicly available also listed data on contracts and employee details, as well as meeting notes and various desktop backups.
Rice Consulting was notified right after the Internet-facing vulnerable NAS server was discovered, but, after not receiving a response after 24 hours, they were also contacted via phone calls which were unfortunately rejected.
After finally being contacted and receiving the data breach information, Rice Consulting blocked public access to the NAS and sent Hacken a "thank you" note for all their help.