Clinton Hack Likely Massive Breach of VoteBuilder Data
As the Clinton campaign tries to downplay the fact that it was hacked, the real story is going unreported: millions of Americans have likely had intimate personal details of their lives exposed through the hack, and it was probably the fault of the campaign’s lax security.
The Clinton campaign put out a statement once it became apparent that their systems had been hacked:
“An analytics data program maintained by the DNC, and used by our campaign and a number of other entities, was accessed as part of the DNC hack. Our campaign computer system has been under review by outside cyber security experts. To date, they have found no evidence that our internal systems have been compromised.”
First, let’s examine what “an analytics data program maintained by the DNC, and used by our campaign and a number of other entities” is.
There’s only one thing this could be, really. The Democratic voter database VoteBuilder. And if that’s hacked, it’s a big deal.
This isn’t the first breach of the database. In December, the DNC and the Sanders campaign had a public battle over the latter’s access of the data, culminating in the former shutting off access. As I wrote at the time, this was a big deal:
VoteBuilder is the party’s demographics engine. The service receives voter data- i.e. whether someone voted last election, who they voted for, race, gender, and address- and disseminates this information for political campaigns like Sanders’ and Hillary Clinton’s.
The advantages this information can give are enormous. A candidate without the data, for example, will have to send out volunteers door to door in every neighborhood to spread the campaign’s message. This is exhausting, time consuming, and a huge expenditure of valuable campaign resources. With VoteBuilder, on the other hand, the campaign can target homes and neighborhoods for get out the vote drives.
The information stored in the databases is extensive. A former Sanders staffer and current New Jersey Democratic State Committee worker who spoke to me under the name “Tyler” told me that it’s also easy to hack.
“Someone that’s volunteered twice could access like 80% of DNC databases,” Tyler explained. “The campaigns are desperate for people to do data entry and no paid staffers want to spend their time doing it- so we get volunteers to do it.”
Documents found online show the sheer amount of data that VoteBuilder gives access to.
Once someone with access to VoteBuilder logs in, they are brought to the homepage, below. The left column is for messages and administrative uses, the middle column contains voter information, and the right column is for data entry. For the purposes of showing the breadth of information VoteBuilder has, we’ll focus on the middle column and go through the steps to find voters.
First, the user clicks on the “Quick Look Up” key.
This will bring the user to a basic search page where simple personal keywords can be input to find voters.
Here, the user used “Smith.” We see all the “Smiths” below.
We select one, Evan Smith. The following information comes up.
The guide helps us to understand what we see here.
This is just one example of what VoteBuilder can do. There’s more at the link, including instructions on how to use the service to target through state, county, village, political leaning… VoteBuilder allows for multiple search patterns and parameters.
As Tyler said above, the fact that this information is readily accessible to almost anyone working on the campaign entering data is disturbing for its carelessness. But surely the DNC has some safety checks in place, right? Right?
“You log-in under an office number,” Tyler said. “There are no password interlocks within the system, so once you log in, you can select from a list of our staffers. Since it has their positions next to their name, you can tell how much data you could potentially have access to that way.”
Someone with the know-how, in other words, could potentially log into the system under a basic username, then select a high level staffer to route into the system with. Once you’re inside the program the access and ability to edit is as great as the level of the staffer whose name you choose.
But at least you can only log in inside the office. Right?
“You can also take that log-in back to your house and use it on your own laptop,” Tyler said. “I could tap it right now if I wanted to.”
VoteBuilder is not only insecure inside the campaign offices of the Democratic Party, it’s insecure from remote access as well. Tyler explained that volunteers are usually given logins within a few days of signing up, allowing anyone with less than noble goals to find a relatively unimpeded route into the system.
The VoteBuilder internal system is incredibly insecure. A computer program designed to aggregate all relevant voter information for canvassing and targeted door-knocking is open to any member of the public who sticks around a Clinton campaign office for more than three days.
The Clintons weren’t hacked- they let the hackers in and then the hackers took the information they wanted. This is far greater than a simple “data analytics program.” If the DNC’s VoteBuilder program was hacked through the Clinton campaign, data about almost every person in the United States, including their home addresses, email, phone numbers, gender, ethnicity, age, etc has been exposed.
That’s the real story here.
I’ve reached out to the Clinton campaign for comment and confirmation and will update when I hear back.