A consumer-grade network attached storage (NAS) device owned by Rice Consulting, a fundraising firm working primarily with the Democratic Party, containing client data and passwords giving access to other organizations, was left publicly accessible, a cyber security research firm discovered.
The factory-set authentication of the Buffalo TeraStation NAS device was disabled, leaving it open to being spotted and indexed by Shodan or Google’s IoT search engine.
The data leakage has highlighted the firm’s failure to implement basic security measures to protect swathes of highly sensitive voter and donor data.
Evans, Senior Director at One Identity:
“The concerning thing about this leak is the fact that the factory-set authentication had been disabled. While we may never know why it was disabled, it was most likely done for convenience. Although it can be a hassle to manually manage administrative passwords, organisations must do their utmost to protect their “keys to the kingdom.”
This brings to light the real problem with the proposed California legislation, which intends to ensure the security of IoT devices by requiring unique passwords, among other measures. Like in this most recent case, administrators and users may simply change or disable those security features for convenience making a device or system inherently unsecure.
Enterprises would be best served at looking at the myriad options for automating the management of their privileged accounts to ensure leaks like this don’t happen again.”