Political Campaigns Face Hacking Threat That Goes Beyond Voter Data
Unencrypted emails can be hacked, speech and strategy notes nicked, volunteer passwords phished, data from credit cards used for donations stolen, and canvassing walk lists compromised due to a tech platform outage. In an increasingly information-hungry political campaign world, there are all sorts of security-related hiccups that can dog candidates and organizations.
Citing a hack into then-Republican VP candidate Sarah Palin's private email account in 2008, data broker and security services firm Experian wrote in its recent 2015 Data Breach
While campaign staffers are highly sensitive to the potential for Watergate-style snooping by opponents, some suggest nefarious forces outside the country could be a legitimate threat. One political data consultant who spoke to Ad Age on background said attempts to infiltrate political data systems -- especially those used by presidential campaigns -- are already happening, suggesting that they are vulnerable to attacks from hackers based in China, Russia and Eastern Europe.
In 2013, NBC News reported that the 2008 Barack Obama and John McCain presidential campaigns were hacked by operatives of the People's Republic of China, according to U.S. intelligence officials. There have also been reports that hackers in China attacked GOP presidential nominee Mitt Romney's campaign servers during the 2012 election.
"The best companies in the world struggle with security every day. I don't think the campaign people have a chance," the political data consultant said.
Campaign emails, information on employment or budgets and opposition research could all be compromised. Worse yet, incriminating information a candidate tells staff to prepare for in case a rival exposes it could also be exposed or used as blackmail by hackers.
Breaches are often the result of human error, stressed Scott Howe, CEO of data services firm Acxiom, which works mainly with corporate clients. "They typically have to do with someone who left a door open to invite the cyber theft through phishing or carelessness," he said. Phishing attempts occur when hackers disguise emails, texts or phone calls as notifications from financial services firms or technology platforms in an effort to obtain user passwords and other sensitive data.
If organizations are not thinking about cyber security, said Mr. Howe, "you're already probably way behind."
Despite looming threats and a growing use of enhanced voter data and analytics tools, as well as online systems enabling easy donations and merchandise sales through credit card transactions, few political campaigns have someone on staff dedicated to data security.
Campaigns rely on their tech vendors to ensure data security, suggested Laura Packard, Democratic Political Strategist and partner at PowerThru Consulting, who works with congressional, senate and gubernatorial candidates. While "it's something that may make sense for a presidential [campaign], having a data security person is overkill," for smaller campaigns, she added.
"Given the threats and data breaches that occurred to presidential campaigns in the 2012 cycle, we've taken cyber security very seriously and established a number of safeguards to reduce our risk," said Paul Lindsay, spokesman for Right to Rise, the PAC supporting Jeb Bush's campaign. He said the organization and its data consultancy have worked in partnership with Amazon, Google and Microsoft to secure systems, in addition to requiring multi-factor authentication to access database systems and servers. The organizatino is also using machine learning to detect abnormal usage patterns.
In May 2014, non-partisan political data and tech platform firm NationBuilder acknowledged a distributed denial of service (DDoS) attack that effectively shut down political campaign websites running on the platform for around four hours. "NationBuilder exists to provide the infrastructure for organizing -- and that infrastructure must withstand any attacks. And this week, we failed. We are deeply sorry," wrote the company in a blog post at the time, noting that the attacks "did not compromise any of your data or financial information."
Like data and tech firms serving corporate clients, the firms that work with political campaigns are hesitant to be mentioned in a story about data security issues. NationBuilder declined to comment for this story, as did several data technology firms serving the political market.
The dustup resulting from an exposure of Hillary Clinton's campaign data to at least one Bernie Sanders campaign staffer as a result of a breach of NGP VAN's software earlier this month has many vendors serving political campaigns on guard or at least circling the wagons. NGP VAN is the Democratic National Committee's platform of choice for voter data management.
Mr. Sanders, a Democratic presidential hopeful, called on the DNC to oversee an independent investigation of the party's data and tech systems during appearances on ABC's This Week and CBS's This Morning.
"At the end of the day, the Sanders campaign agreed to what we originally asked for -- a full accounting of the data that was inappropriately accessed and an independent audit to determine that the data is no longer in the campaign's possession," DNC Spokesman Eric Walker told Ad Age. "We're also working with NGP VAN to make sure that their data is secure and that this kind of breach won't happen again. We're excited to move past this and get back to discussing the issues that the voters care about -- just like our candidates did in the last debate."
"I think that that's a good thing to get to the bottom of, how this happened, who was responsible, and make sure it doesn't happen again," said Ms. Packard.