How Much Did Anonymous Really Get From Congressional Staffers?
BY Miranda Neubauer | Tuesday, July 23 2013
A recent release of email address and password combinations apparently used by congressional staffers to manage mass emails to constituents raises concerns about security, but likely won't lead to much change in the use of third-party services by members of Congress, according to Brad Fitch, president and CEO of the Congressional Management Foundation.
People claiming to be affiliated with Anonymous announced last week that they had obtained and released emails and passwords for 2,000 congressional staffers in a move designed to attract attention to their displeasure over online surveillance by the National Security Agency. But the passwords were not paired up with email address when they were released, rendering them of less use to actually breach security, and The Hill reports that they appeared to be login information for the widely used iConstituent email newsletter service.
Officials at iConstituent did not respond to requests for comments. A spokesman at the House Office of the Chief Administrative Officer declined to comment.
Based on his conversations with some affected staff members, Fitch said that staff concern about their own data was not too high, especially since the passwords were not matched to e-mail addresses. It was more of an "amusing experience" to find out what passwords others used, Fitch said.
The greater concern, he said, would be the potential for a hack into the system "which is connected to their CRM software, which might store data of constituents," including in some cases sensitive data like social security numbers. "[They will be] more concerned with their voters than their staff."
Noting that this was the first time this specific kind of breach had been made public, Fitch said he expected other vendors would reevaluate their systems, as third-party services "are always going to be in demand." The House Information Resource Office "can't do everything."
According to the Hill, House Chief Administrative Officer Dan Strodel wrote a message to House chiefs of staff indicating that "all information on the impacted iConstituent system should be considered compromised" and that "more disclosures may happen."
Many of the released e-mail addresses belonged to staff members who no longer work on Capitol Hill or worked for lawmakers no longer in office, such as former Sens. Arlen Specter and Bill Frist.
According to the email cited by the Hill, the House network was not compromised.
In 2010, iConstituent wrote in a blog post regarding attacks on other House websites that "iConstituent-hosted Congressional websites are housed 100% behind the House of Representatives Firewall."
One of the affected staff members, Ian Koski, communications director for Sen. Chris Coons (D-Del.), expressed concern last week to the Hill that there had been no communication from iConstituent and worried about constituent privacy.
According to the Hill, representatives of iConstituent were expected to be present in a Chief Administrative Office meeting on the breach with House offices Monday afternoon.