Cyber Incident Victim: Victory Phones
Date:
Jan 2017
Location:
United States of America
Summary
A Republican polling firm specializing in automated phone research and political fundraising experienced a database breach when hackers exploited an unprotected MongoDB instance, part of a broader wave of attacks targeting thousands of similarly unsecured databases. The compromised data included donor records containing names, postal and email addresses, phone numbers, genders, donation amounts, and employee usernames with hashed passwords, login IP addresses, and postal details. While much donor information was already publicly accessible through federal election records, the exposure highlighted security failures in the firm's database configuration, which lacked basic protections like a password. The company acknowledged the intrusion, implemented security enhancements, and notified affected users but did not receive any ransom demands or communications from the attackers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2017, Victory Phones, a Grand Rapids, Michigan-based automated phone polling and fundraising firm serving Republican political campaigns, suffered a data breach involving its unsecured MongoDB database. Attackers exfiltrated multiple database files, including one 223-gigabyte file containing approximately two billion lines of data primarily related to political donor records. The stolen information included names, postal addresses, email addresses, phone numbers, genders, and donation amounts for individuals who contributed to Republican campaigns. A separate file contained employee usernames, hashed and salted passwords, postal addresses, and login IP addresses. Security researcher Troy Hunt independently verified the breach after receiving a copy of the database, confirming 166,046 unique email addresses in the dataset. Hunt contacted multiple affected individuals who validated the accuracy of their exposed information. Victory Phones CEO David Dishaw acknowledged the intrusion occurred during a wave of attacks targeting poorly secured MongoDB instances but stated the company received no ransom demands. The firm implemented unspecified security enhancements and notified affected users shortly after discovering the breach.
The incident coincided with mass exploitation of approximately 27,000 MongoDB databases left publicly accessible without authentication during late 2016 and early 2017. Attackers typically downloaded unsecured databases and replaced them with ransom notes, though Victory Phones reported no direct extortion attempts. Public Federal Election Commission records showed the company had processed substantial campaign contributions, including $207,602 for Rand Paul's campaign and $103,977 for the Michigan Republican Party. While much of the donor information was already publicly available through FEC disclosures, the breach highlighted ongoing election security concerns following the 2016 presidential race. Security analysts noted the company's database port remained publicly detectable via Shodan search engine at the time of reporting, months after the initial compromise. The exposure demonstrated risks associated with unprotected internet-facing databases containing sensitive voter and donor information, even when partial data exists in public records.