In the DNC-gate debacle that has occurred in full public view over the past several days, beginning publicly last Thursday evening, December 17, 2015, when the DNC evidently inappropriately shut off Bernie Sanders' campaign staff's access to the "voter file" databases owned by the DNC, which are hosted and maintained at vendor NGP VAN, we have heard all sorts of accusations, and explanations from all sides -- from the Bernie Sanders' campaign staff side, and from the DNC/Hillary side, as well as a little from the NGP VAN side (but that seems to be the exact same side as DNC/Hillary, something I'll explain in a few moments).
Bernie's campaign, with Jeff Weaver as its primary public spokesperson, and Brad Deutsch as the campaign's attorney, has stated emphatically that the campaign intends to continue its lawsuit against the DNC in order to get access to discovery information, to subpoena internal records from the DNC, such as emails between Debbie Wasserman Schulz and Hillary and her campaign staff, telephone call logs, DNC meeting minutes, and whatever else may be germane to the lawsuit.
What has been interesting to me, as an Information Technology engineer with significant 25+ years of data security experience inside and outside Silicon Valley, is that the data, which I assume is stored in some sort of relational-database format (SQL most likely, judging from NGP VAN's Help Wanted ads on the Internet: https://aflcio.hirecentric.com/jobs/90750-14074.html), is evidently freely accessible by ANY user when NGP VAN's [Watchguard?] firewalls sometimes fail and/or when software bugs are introduced when software-maintenance patches are released. This is very poor change-management control, not to mention poor design from a security perspective, and rather infantile in its lack of sophistication, if this is indeed the case.
In any relational database, data that is stored in tables and then rows and fields therein should be secured using security groups (which then contain individual user ids, each a named account assigned to the related named human) permissions. When this is set up properly, firewalls are not needed necessarily to protect the data from access by the wrong people. Only the persons with user ids belonging to the correct security groups in the system may access data in the database tables. This is database security 101 in the 21st century.
Tim Erwin, Director of Security and Product Management at Tripwire, a renowned data and network security firm, says the following about the incident:
"It sounds like a misconfiguration of the access control between campaigns. There are definitely tools that companies can use to monitor databases for any changes and determine who actually caused the data to be accessible. It's important to remember that there are four parties involved here: two campaigns, the DNC, and a third-party vendor managing the access control. In this case, though there was clearly an issue with NGP-VAN, the DNC has no ability to change vendors quickly, and the impact is on the Sanders campaign, not the DNC directly. With any data breach, change follows consequences. I don't see a lot of motivation for NGP-VAN to change at this point. If the Sanders campaign reported this issue, or one like it before, there should be a record of that interaction. Finding that record would substantiate their version of the incident." http://goo.gl/a6abVx
A high-level article regarding database-security standards is recommended as a starting point for novices, and is available on Wikipedia here: https://en.wikipedia.org/wiki/Database_security
Why then were Clinton campaign staffers able to view database tables, rows, fields that should've been secured as to only be viewable or editable/deletable by Bernie staffers? Or vice versa, as the campaign staff and I have reason to believe is the case. While Hillary's campaign staff apparently contends it has not ever viewed or accessed any of Bernie's campaign data during multiple firewall outages in recent months, there is reason to believe in the Bernie grassroots community, and perhaps with Bernie's campaign staff as well, that Hillary's campaign staff apparently may have indeed accessed, viewed, and/or exported Bernie's data. Many of us, countless thousands of us, in the Bernie volunteer organizer/activist community oddly started receiving donation request emails from the Hillary campaign right after the firewall outage and Bernie's staff being blocked from their own data by the DNC and NGP VAN. How did the Hillary campaign get our private email addresses given that we have only ever donated solely to Bernie, through his website www.berniesanders.com, and have not been in any sort of direct email or other contact with the Hillary campaign or its staff? Has Hillary's campaign staff somehow pilfered data regarding hundreds of thousands of Bernie volunteers nationwide, including our names, e-mail addresses, and other private information? It's certainly VERY suspicious that we only started receiving these numerous donation request and campaign update e-mails from the Hillary campaign right after this most recent firewall outage. Many of us have forwarded some of these suspicious e-mails to the Bernie campaign staff for further analysis, in the event they may be helpful in their ongoing lawsuit against the DNC.
A copy of the lawsuit filed by the Bernie campaign as well as a copy of the DNC-Bernie 2016 services-agreement contract may be viewed here: http://www.politico.com/f/?id=00000151-b72f-d9b7-ad79-f7ff512d0000