The sensitive personal details of more than 450 people holding “top secret” US government security clearances were left exposed online, new research seen by WIRED shows. The people’s details were included in a database of more than 7,000 individuals who have applied for jobs over the last two years with Democrats in the United States House of Representatives.
While scanning for unsecured databases at the end of September, an ethical security researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also includes a job board and résumé bank.
After the researcher attempted to notify the House of Representatives’ Office of the Chief Administrator on September 30, the database was secured within hours, and the researcher received a response that simply said, “Thanks for flagging.” It is unclear how long the data was exposed or if anyone else accessed the information while it was unsecured.
The independent researcher, who asked to remain anonymous due to the sensitive nature of the findings, likened the exposed database to an internal “index” of people who may have applied for open roles. Résumés were not included, they say, but the database contained details typical of a job application process. The researcher found data including applicants’ short written biographies and fields indicating military service, security clearances, and languages spoken, along with details like names, phone numbers, and email addresses. Each individual was also assigned an internal ID.
“Some people described in the data have spent 20 years on Capitol Hill,” the researcher tells WIRED, noting that the information went beyond a list of interns or junior staffers. This is what made the finding so concerning, the researcher says, because they fear that if the data had fallen into the wrong hands—perhaps those of a hostile state or malicious hackers—it could have been used to compromise government or military staffers who have access to potentially sensitive information. “From the perspective of a foreign adversary, that is a gold mine of who you want to target,” the security researcher says.
WIRED reached out to the Office of the Chief Administrator and House Democrats for comment. Some staff members WIRED contacted were unavailable because they have been furloughed as a result of the ongoing US government shutdown.
“Today, our office was informed that an outside vendor potentially exposed information stored in an internal site,” Joy Lee, spokesperson for House Democratic whip Katherine Clark, told WIRED in a statement on October 22. DomeWatch is under the purview of Clark’s office. “We immediately alerted the Office of the Chief Administration Officer, and a full investigation has been launched to identify and rectify any security vulnerabilities.” Lee added that the outside vendor is “an independent consultant who helps with the backend” of DomeWatch.
There are many unsecured and publicly accessible databases across the internet, and the researcher says that they might not have paused to investigate the DomeWatch data had they not noticed key words involving top-secret security clearances. This underscores the concern, the researcher says, that while the database is small, it contains information that would be potentially valuable in nation-state espionage. One entry, for example, listed a person who had “intelligence” and “US-China relations” experience.
“Exposed databases are a widespread, non-partisan cybersecurity problem. Left unchecked, they enable targeted espionage, fraud, and identity abuse,” says Alexander Leslie, senior advisor for government affairs at the threat intelligence firm Recorded Future, who was not involved in the research. “If accurate, this dataset would be extremely sensitive. Military histories and clearance status give adversaries precise reconnaissance and pretexting opportunities, and foreign espionage actors could further use this data for spear-phishing, impersonation, and targeted social-engineering to gain access or compromise accounts.”
According to the researcher, the data also included information about people’s political affiliations. Among the estimated 7,000 entries, there were around 4,200 people who appeared to have experience working in Congress. In total 6,300 people were marked as having Democratic Party affiliation, while 17 were listed as having Republican Party affiliation, and another 250-plus were listed as independent or other. The researcher says there were also some links to files or documents housed in other cloud storage systems.
Recorded Future’s Leslie also points out that known breaches of data related to US government employment—most notably the 2015 Office of Personnel Management hack—create what he calls “long-term US national security and personnel risks.”
“This research was not targeted toward any political party or affiliation,” the researcher who found the unsecured database says. “It was just finding data, realizing that it could be vulnerable, and thinking of all the ways that not just criminals could use it, but foreign adversaries. It shouldn’t be exposed.”
Disclaimer : This story is auto aggregated by a computer programme and has not been created or edited by DOWNTHENEWS. Publisher: wired.com
