It may not be on the level of failing to adequately secure State Department communications, but it seems Donald Trump’s organization could use a refresher course on data security. And when it finishes that, it might want to tackle a course on transparency.
On Sunday night, DataBreaches.net received an email from MacKeeper Security Research Center lead researcher Chris Vickery. In the course of his research, he had discovered that Donald Trump’s organization had a leaky bucket on their Amazon S3 server that was exposing the resumes of those who had applied to the organization for internship positions. Chris was understandably uncertain as to the best route to try to get a message to the campaign so that they could promptly secure the files.
On Monday morning, both Chris and this blogger took to Twitter to tweet to Trump to try to get his attention. Despite a few attempts and retweets from helpful followers, that approach failed to get any response. Nor did tweets to major news outlets trying to get their attention succeed (probably because they had all suddenly realized that yes, maybe Clinton’s health was an issue that they should have been covering).
But thanks to one of my followers on Twitter who sent me a private message, I was able to connect with the director of an insurance company involved with Trump’s organization. Once I explained the situation to him, he immediately called the right people. The bucket was quickly secured after his call. I’d thank him and his firm publicly, but they prefer not to be named publicly.
DataBreaches.net requested a statement from Trump’s organization about the leak, but has received no response – no explanation of for how long the files had been accessible or who was responsible. Not even a thank-you for taking the time to try to alert them to the problem. To my knowledge, they have not made any public acknowledgement of the data leak nor responded to inquiries from a number of media outlets who were aware of the situation.
Keep in mind that we do not know what else was exposed on that leaky bucket because Chris made an ethical decision that it was more important to get the bucket secured quickly to protect the intern applicants than to continue exploring what else may have been exposed. As Chris explained in a statement shared with this site:
If my initial findings are correct, then any file in that S3 bucket could have been downloaded. All you had to do was guess the file’s path and name. The exposed intern resumes are a good example of sensitive data that can be unintentionally released, but we may never know if there were even more sensitive files exposed as well.
So how do those whose resumes were exposed feel about the leak? Contacted by DataBreaches.net, Yoon Joon So, replied:
I’m pretty disappointed that this happened. The Trump campaign should know about the importance (of) secure emails better than anyone else.
You’d think so, wouldn’t you?
Another applicant, Vinny Meller, told DataBreaches.net:
While I’m not too uncomfortable with the information provided to the Trump campaign being leaked, I’m not very happy about it. The possibility of information I provide being unsecured isn’t something I ever think really think about, because having decent security in place is not difficult in 2016. I’m definitely pretty disappointed in the Trump campaign over it. Even though I am disappointed, I think everybody should always be ready for something like this to happen, and keep that possibility in the back of your mind. I always try to keep information I give out to things like this to a minimum for that reason.
Now that’s a wise young man – maybe too wise for a campaign that didn’t take the security of his information seriously enough to even post anything on their site as to how to escalate communications about a data security concern – and a campaign that hasn’t yet even acknowledged the problem or been transparent about it.
Will the campaign contact those whose information was exposed? I guess we’ll have to wait to see. In the meantime, read Chris’s coverage of this leak on MacKeeper Security Watch.