CHICAGO — A would-be hacking attempt into the national Democratic Party’s massive voter file wasn’t that at all. It turns out to be the work of a technology company hired by Michigan Democrats, all in the name of testing how secure the party can keep information on tens of millions of Americans.
“This was an unauthorized test, not an attack,” Bob Lord, the Democratic National Committee’s chief security officer, told The Associated Press in an interview Thursday.
That finding, discovered after national party officials already had contacted federal law enforcement fearing a malicious hacking attempt, marks an odd and potentially embarrassing twist to the party’s data security efforts two years after Russians penetrated DNC computers and released internal communications that upended the 2016 presidential election.
The chairman of the Michigan Democratic Party, Brandon Dillon, did not respond to a request for comment.
Lord, who is attending the party’s summer meetings this week in Chicago, said the episode shows “we could do a better job.” But he also framed the whiplash storyline as evidence the party has improved its overall cybersecurity since 2016, even as it depended on outsiders this time to flag what looked like a threat.
“This is a demonstration that the DNC is plugged into the security community in a way we weren’t before,” Lord said.
Lord says he was notified by two companies — the web security firm Lookout and the web cloud hosting service DigitalOcean — in the wee hours Tuesday morning about a live website that appeared to mimic logins for the DNC’s web-based VoteBuilder program that houses information on voters across the country. The DNC grants state parties access to various portions of the database so the parties and Democratic candidates can use it — and enhance — as part of campaigns.
Lookout is a firm that scours the interest identifying potential threats. DigitalOcean hosted the account of the suspected hacker.
Working with NPG VAN, the DNC’s contractor for VoteBuilder, Lord said the group agreed collectively that what it was seeing was a nearly complete phishing attempt that would be used to lure email Democratic officials with access to VoteBuilder to give up their passwords.
It’s a common phishing exercise, similar to what Hillary Clinton’s campaign chairman, John Podesta, fell for, ultimately leading to Wikileaks unveiling his emails in the months leading up to Clinton’s loss to Donald Trump.
“The website was live, obviously, but the phishing attempt was not yet operational,” Lord told the AP.
DigitalOcean suspended the account. DNC contacted authorities. The FBI has declined comment.
Further investigation identified the account holder as a web contractor that had been hired by the Michigan Democrats. Lord did not identify the firm.
An influential Michigan DNC member, Barry Goodman, said Thursday that he and other prominent Democrats in the state were unaware of the scheme. “I’d like to think I would have known,” Goodman said.
Lord said conversations among DNC executives and Michigan Party officials and employees are ongoing.
He estimated that “thousands” of Democratic Party officials and volunteers around the country have VoteBuilder logins, with various levels of data access. Someone in Lord’s position, for example, would have few restrictions. A state party data director might have access only to voters in his or her state. A low-level staffer knocking on doors or making phone calls for a particular campaign might be restricted only to the list of voters they are trying to contact on a given day.
“We want to encourage phishing tests” like what was being designed, Lord said, noting such “fire drills” are part of any large organization teaching individuals how to protect data.
But cybersecurity protocols, Lord said, require that an entity conducting phishing tests notify other relevant parties so they don’t see red flags. As for whatever programmer designed the would-be hacking attempt, Lord said, “They did good work. I will imagine that the person who worked on this will be able to get a very good job.”