Sanders campaign punished after Clinton data breach

Dec 18, 2015 1:21 PM by CBS News

Bernie Sanders' campaign acknowledged Friday morning that its campaign inappropriately accessed the voter files of "another campaign" -- reported by media outlets to be Hillary Clinton's -- and as a result, fired the staffer involved.

The DNC has suspended the Sanders campaign's access to the 50-state voter file, a master list of voter information and history, including past support, donations, and subscriptions. According to a Democratic elections source, access to the voter file will be denied until the campaign explains its actions and provides proof to the other campaign that the data obtained during the breach has been disposed of.

"We are also looking at the option of an independent audit by a data security firm," the source added.

That's seen as a serious blow to the Vermont senator's efforts just a day before aDemocratic debate and weeks ahead of the first caucuses and primaries.

Blaming the vendor for the Democratic National Committee (DNC), the Sanders campaign said in a statement, "Unfortunately, yesterday, the vendor once again dropped the firewall between the campaigns for some data. After discussion with the DNC it became clear that one of our staffers accessed some modeling data from another campaign. That behavior is unacceptable and that staffer was immediately fired."

The Sanders campaign also said it wasn't the first time the firewall between the different campaigns had been dropped. "Sadly, the vendor who runs the DNC's voter file program continues to make serious errors," it said. "Our campaign months ago alerted the DNC to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor."

The independent Vermont senator's campaign said it is working with the DNC and the vendor, NGP VAN, to ensure that the software flaws are corrected.

NGP VAN refuted the Sanders' claim that the company had made errors in the past, telling CBS News in a statement that the data breach had been a "brief isolated issue."

"The security and privacy of our customers' data is a top priority," NGP VAN CEO Stu Trevelyan said. "Over the company's 19 year history, we've not had a problem with that; but on Wednesday, we did have a brief isolated issue for users of one of our products."

Trevelyan went on to explain that a Wednesday release of VAN code "contained a bug" and "for a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system."

Before the bug was fixed, users were able to search and view data from other campaigns, "but not export or save or act on" the data, Treveylan wrote.

The company said that as soon as the bug was detected, they "immediately mobilized" its engineers to investigate the source of the problem. The vendor later determined that "only one campaign" took actions that could have led to the storage of confidential data it did not have permission to access.

NGP VAN is providing a "thorough report" to the DNC of the incident and is conducting its own review "to ensure the integrity of the system."

The Washington Post was first with word of the breach and the Sanders staffer's actions.

The Sanders campaign confirmed to CBS News that the staffer fired was the Sanders campaign's national data director, Josh Uretsky. The campaign is also looking into the possibility that others on the campaign accessed the data as well.

Uretsky spoke with CNN early Friday, explaining that "We knew there was a security breach in the data, and we were just trying to understand it and what was happening... To the best of my knowledge, nobody took anything that would have given the (Sanders) campaign any benefit."

Uretsky noticed the data breach on Wednesday, said that he had told other higher-ups in the Sanders campaign of the security concern and had intended to let the DNC know as well. Uretsky said he only entered the database to create a record that he was able to go "through stuff that I wasn't supposed to have access to" and to investigate the extent of the breach.

The New York Times indicates there may have been up to three other data users involved: "According to three people with direct knowledge of the breach, there were four user accounts associated with the Sanders campaign that ran searches while the security of Mrs. Clinton's data was compromised," the newspaper says.

DNC Communications Director Luis Miranda explained in a statement to CBS News that, "The DNC was notified on Wednesday by its data systems vendor NGP VAN that, as a result of a software patch, all users on the system across Democratic campaigns were inadvertently able to access some data belonging to other campaigns for a brief window."

"The DNC immediately directed NGP VAN to conduct a thorough analysis to identify any users who accessed the data, what actions they took in the system, and to report on the findings to the Party and any affected campaign," Miranda continued.

"We have also instructed NGP VAN to conduct a full audit of the system to ensure the integrity of the data and the security of the system for the campaigns that use it, and to begin a review process with every campaign and user to ensure they understand and abide by the rules governing the use of the system," he added.

CBS News' Jacqueline Alemany, Nancy Cordes, Hannah Fraser-Chanpong, and Alex Greco contributed to this report.


Most Popular