Reports are emerging that a consumer-grade network attached storage (NAS) device owned by Rice Consulting, a fundraising firm working primarily with the Democratic Party in the US, containing client data and passwords giving access to other organisations, was left publicly accessible. A member of the Hacken cyber risk security team discovered an unprotected instance in Buffalo TeraStation NAS.
The factory-set authentication of the NAS device was disabled, leaving it open to being spotted and indexed by Shodan or Google’s IoT search engine. The data leakage has highlighted the firm’s failure to implement basic security measures to protect swathes of highly sensitive voter and donor data.
Commenting on the news, Bill Evans, senior director at One Identity said: “The concerning thing about this leak is the fact that the factory-set authentication had been disabled. While we may never know why it was disabled, it was most likely done for convenience. Although it can be a hassle to manually manage administrative passwords, organisations must do their utmost to protect their ‘keys to the kingdom“
Evans continued, “This brings to light the real problem with the proposed California legislation, which intends to ensure the security of IoT (Internet of Things) devices by requiring unique passwords, among other measures. Like in this most recent case, administrators and users may simply change or disable those security features for convenience making a device or system inherently unsecure.
“Enterprises would be best served at looking at the myriad options for automating the management of their privileged accounts to ensure leaks like this don’t happen again,” he added.