Bernie Sanders campaign claims DNC voter data was leaked multiple times

The Sanders campaign was suspended and forced to fire a staffer, but it is still blowing the whistle on security failures with the database.

The Democratic National Committee (DNC) has suspended the Bernie Sanders presidential campaign from access to its database of Democratic voter information after a staffer on the Sanders campaign improperly accessed proprietary data belonging to the rival campaign of Hillary Clinton, the Washington Post reported today.

The Sanders campaign announced that it has fired the staffer over the incident. However, the campaign has also insisted that the data in the DNC database had been exposed on other occasions during the campaign.

NGP VAN manages the master file for the database, which is maintained by the DNC but contains proprietary information on each campaign that is intended to be protected by firewalls. On Wednesday, NGP VAN issued a software patch that "briefly opened a window into proprietary information from other campaigns," the Washington Post reported. 

In a statement on the company's blog, NGP VAN CEO Stu Trevelyan apologized to the Clinton and Sanders campaigns and explained how the data was able to be viewed:

"On Wednesday morning, there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign."

The Sanders campaign's national data director, Josh Uretsky, viewed the data and directed three employees to do the same, the Washington Post reported. On Friday, Sanders campaign spokesman Michael Briggs told CNN that accessing the data was "unacceptable" and confirmed that Uretsky had been fired.

In a separate interview with CNN, Uretsky also claimed proprietary data in the DNC databased had been made available in the past.

"This wasn't the first time we identified a bad breach," he said, confirming to CNN that the Sanders campaign reported another breach to the DNC in October. "We reported it to them. They thanked us for reporting it and they told us the breach had been closed."

"In retrospect, I got a little panicky because our data was totally exposed, too," Uretsky said about the previous breach, according to CNN. "We had to have an assessment, and understand of how broad the exposure was and I had to document it so that I could try to calm down and think about what actually happened so that I could figure out how to protect our stuff."

Uretsky insists that he never accessed any data on the Clinton campaign, telling CNN that he and his staff were actually trying to "understand how badly the Sanders campaign's data was exposed."

"To the best of my knowledge, nobody took anything that would have given the (Sanders) campaign any benefit," Uretsky told CNN. 

Uretsky says that after his team investigated the breach, they immediately reported it to the rest of the campaign, according to CNN. He insists that he planned to report the breach to the DNC, but that the DNC had learned of it before he could contact them, presumably from NGP VAN.

Regardless, Uretsky still took "full responsibility" in his statements to CNN, and his time with the campaign is over. The Sanders campaign, meanwhile, will remain suspended from accessing the DNC database's voter information indefinitely, "until it provides an explanation as well as assurances that all Clinton data has been destroyed," according to the Washington Post.

Corrections: An earlier version of this story featured the headline: "Bernie Sanders campaign claims software vendor NGP VAN exposed voter data multiple times." Former data director Josh Uretsky has since clarified in comments to MSNBC that the previous data breach did not occur with NGP VAN's software, but with "another system." The article was also updated to remove quotes that Sanders campaign Michael Briggs provided to CNN that suggested NGP VAN was responsible for the earlier breaches, but which CNN has since removed from its site. 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.