Sensitive staff Details of more than 450 people holding “top secret” US government security clearances have been revealed online, according to a new study seen by WIRED. The people’s contact information was included in a database of more than 7,000 people who applied for jobs over the past two years with Democrats in the U.S. House of Representatives.
In late September, while researching unsecured databases, an ethical security researcher came across the exposed data cache and discovered it was part of a site called DomeWatch. The service is run by House Democrats and includes video feeds of House sessions, congressional event calendars and updates on House votes. It also includes a job offers site and a CV bank.
After the researcher attempted to notify the Office of the Chief Administrator of the House of Representatives on September 30, the database was secured within hours and the researcher received a response simply saying, “Thanks for the report.” It is unclear how long the data was exposed or whether anyone else accessed the information while it was unsecured.
The independent researcher, who asked to remain anonymous due to the sensitive nature of the findings, compared the exposed database to an internal “index” of people who may have applied for vacancies. Resumes were not included, they say, but the database contained details typical of a job application process. The researcher found data that included short written biographies of the applicants and fields indicating military service, security clearances and languages spoken, as well as details such as names, phone numbers and email addresses. Each individual was also assigned an internal identifier.
“Some people described in the data spent 20 years on Capitol Hill,” the researcher told WIRED, noting that the information went beyond a list of interns or junior staffers. That’s what makes this finding so concerning, the researcher says, because they fear that if the data had fallen into the wrong hands — perhaps those of a hostile state or malicious hackers — it could have been used to compromise government or military personnel who have access to potentially sensitive information. “From a foreign adversary’s point of view, it’s a gold mine for knowing who you want to target,” says the security researcher.
WIRED has reached out to the Office of the Chief Administrator and House Democrats for comment. Some staff members contacted by WIRED were unavailable because they have been furloughed due to the current U.S. government shutdown.
“Today our office was informed that an external vendor had potentially exposed information stored on an internal site,” Joy Lee, spokesperson for House Democratic Whip Katherine Clark, told WIRED in an Oct. 22 statement. DomeWatch reports to Clark’s office. “We immediately alerted the Office of the Chief Administrative Officer and a thorough investigation was launched to identify and correct any security breaches.” Lee added that the external vendor is “an independent consultant who helps with the backend” of DomeWatch.
