DNC Data Breach Reveals a Lot More Than Hillary's (and Maybe Bernie's) Campaign Data

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.dailykos.com/story/2015/12/22/1462664/-DNC-Data-Breach-Reveals-a-Lot-More-Than-Hillary-s-and-Maybe-Bernie-s-Campaign-Data

The fact that the DNC data breach happened, and that the Sanders lawsuit is
apparently continuing
<http://thehill.com/blogs/ballot-box/presidential-races/263929-sanders-suit-still-alive-in-federal-court>,
may end up being good for Democrats as a whole and for all Democratic
campaigns going forward.

The data breach is shining a light not just on the technology vendor at the
heart of the issue, but also on the extreme level of control over
candidates it has put into the hands of the head of the DNC. It's also
revealing the vulnerability of putting the party's vital data into one set
of corporate hands and keeping it there, not necessarily for reasons of
technical excellence, but for purely political reasons:

Sanders data controversy spotlights powerful gatekeeper
<http://www.politico.com/story/2015/12/bernie-sanders-dnc-data-breach-217016>

At the heart of the Bernie Sanders data mess is a firm that functions as
the digital plumbing of the Democratic Party: NGP VAN. Democrats are nearly
wholly dependent on it, which is why the breach — the company says it’s the
first in its nearly 20-year history — and the Sanders campaign’s subsequent
cutoff from the system is so rattling the party...

If nothing else, it’s reminded Democrats of the risks of leaning so heavily
on one private company to provide its technology infrastructure...

Nearly every Democratic campaign across the U.S. uses NGP VAN in some
fashion, though critics say that's due in some part to the fact that the
DNC and state Democratic parties force candidates do so as part of the
package of receiving party support. The arrangement leaves it up to the
Democratic Party to decide which campaigns get access to the software,
giving it an enormous gatekeeping power of which the Sanders' campaign felt
the force during its temporary suspension of access to the data file...

The VAN part of NGP VAN started in the late 1990s as the Voter Activation
Network, built for the Iowa Senate campaign for Tom Harkin when he couldn't
find the software he needed for his campaign. A powerful feature was the
fact that it could maintain campaign records and recycle the data for use
by other campaigns. Howard Dean, when he headed the DNC, saw the value of
it and started using it for his 50-State Strategy.

In 2010, Sullivan's company merged with NGP, a Washington, D.C.,
fundraising software company led by Clinton-Gore veteran Stu Trevelyan. It
was the marriage of two progressive software powerhouses, and it helped
Democrats, for the first time, bridge the management of their donor base
with their shoe-leather field organizing...

The firm has, in recent years, been locked in battles of words and, in some
cases, lawsuits, with competitors, including Aristotle and Nationbuilder,
the latter of which has made its name letting users control access to their
own data but which has earned the ire of some in Democratic circles by
working with Republicans...

But at the moment, Democrats remain enormously dependent on NGP VAN, and
that's likely to continue for the near future...The company has an
all-you-can-eat contract with the Democratic Party, meaning that it is paid
the same year in and year out, no matter how many campaigns actually use
its tools...

The Sanders case “highlights a huge vulnerability in Democratic tech," says
Seth Bannon, a progressive technologist who runs the digital advocacy
software company Amicus. "Locking campaigns into a tool because of a
company's political connections at the DNC is a very dangerous thing.”

I hope that the Sanders campaign doesn't drop their lawsuit, and that it
forces the DNC to allow an audit of not just what happened in this
particular data breach, but of the security of the whole system provided by
this vendor.

And not an audit by NGP-VAN of itself, as Debbie Wassermann Schultz wanted,
but by a respected and impartial third party investigator, as the Sanders
campaign demands.

The fact <https://en.wikipedia.org/wiki/NGP_VAN> that its founder was the
chief technology officer for Hillary Clinton’s 2008 presidential campaign
and that its current president and CEO was a veteran of Bill Clinton’s War
Room and his Administration shouldn’t be the overriding factors in the
Democratic Party’s total reliance on this company’s systems.

Technological excellence should be a much more important consideration than
political control and the mutually reinforcing doling out of contracts to
the benefit of a small elite circle of insiders.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!