Bernie Sanders campaign accessed Hillary Clinton's voter data

DNC: Sanders campaign improperly accessed Clinton data

Bernie Sanders' campaign acknowledged Friday morning that its campaign inappropriately accessed the voter files of "another campaign" -- reported by media outlets to be Hillary Clinton's -- and as a result, fired the staffer involved.

The DNC has suspended the Sanders campaign's access to the 50-state voter file, a master list of voter information and history, including past support, donations, and subscriptions. According to a Democratic elections source, access to the voter file will be denied until the campaign explains its actions and provides proof to the other campaign that the data obtained during the breach has been disposed of.

"We are also looking at the option of an independent audit by a data security firm," the source added.

That's seen as a serious blow to the Vermont senator's efforts just a day before a Democratic debate and weeks ahead of the first caucuses and primaries.

New poll of millennials shows Trump, Sanders leading, support for ground troops against ISIS

Blaming the vendor for the Democratic National Committee (DNC), the Sanders campaign said in a statement, "Unfortunately, yesterday, the vendor once again dropped the firewall between the campaigns for some data. After discussion with the DNC it became clear that one of our staffers accessed some modeling data from another campaign. That behavior is unacceptable and that staffer was immediately fired."

The Sanders campaign also said it wasn't the first time the firewall between the different campaigns had been dropped. "Sadly, the vendor who runs the DNC's voter file program continues to make serious errors," it said. "Our campaign months ago alerted the DNC to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor."

The independent Vermont senator's campaign said it is working with the DNC and the vendor, NGP VAN, to ensure that the software flaws are corrected.

NGP VAN refuted the Sanders' claim that the company had made errors in the past, telling CBS News in a statement that the data breach had been a "brief isolated issue."

"The security and privacy of our customers' data is a top priority," NGP VAN CEO Stu Trevelyan said. "Over the company's 19 year history, we've not had a problem with that; but on Wednesday, we did have a brief isolated issue for users of one of our products."

Trevelyan went on to explain that a Wednesday release of VAN code "contained a bug" and "for a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system."

Before the bug was fixed, users were able to search and view data from other campaigns, "but not export or save or act on" the data, Treveylan wrote.

The company said that as soon as the bug was detected, they "immediately mobilized" its engineers to investigate the source of the problem. The vendor later determined that "only one campaign" took actions that could have led to the storage of confidential data it did not have permission to access.

An audit, conducted by NGP VAN and first obtained by Bloomberg Politics, revealed that four accounts connected to the Sanders team conducted searches on lists of supporters in 10 early voting states, including Iowa and New Hampshire. A DNC official confirmed the results of the audit to CBS News.

According to Bloomberg, though the Sanders campaign claimed it had not retained a record of the Clinton data, the audit shows that during the 40 minutes the database was vulnerable, Sanders' team created at least 24 lists and saved them to their personal folders.

The Washington Post was first with word of the breach and the Sanders staffer's actions.

The Sanders campaign confirmed to CBS News that the staffer fired was the Sanders campaign's national data director, Josh Uretsky. The campaign is also looking into the possibility that others on the campaign accessed the data as well.

Uretsky spoke with CBS News on Friday, explaining that he only wanted to "accurately assess for the campaign and both the DNC and VAN what my undertanding was of what was wrong."

"I looked at what were able to access and tried to quantify it in a way that was transparent and that I knew was being logged by the NGP VAN system," the former staffer said.

Uretsky noticed the data breach on Wednesday, and said that he had told other higher-ups in the Sanders campaign of the security concern and had intended to let the DNC know as well.

He added that it was "just standard protocol in the field of data and tech in general to actually assess the problem" and "make sure you understand it before you raise a red flag and freak people out."

The former data director told CBS that he had also "reported previous security issues to the database."

"We had previously discovered other exposures and we quantified it and told them probably within a day of figuring it out," Uretsky said.

The New York Times indicates there may have been up to three other data users involved: "According to three people with direct knowledge of the breach, there were four user accounts associated with the Sanders campaign that ran searches while the security of Mrs. Clinton's data was compromised," the newspaper says.

DNC Communications Director Luis Miranda explained in a statement to CBS News that, "The DNC was notified on Wednesday by its data systems vendor NGP VAN that, as a result of a software patch, all users on the system across Democratic campaigns were inadvertently able to access some data belonging to other campaigns for a brief window."

"The DNC immediately directed NGP VAN to conduct a thorough analysis to identify any users who accessed the data, what actions they took in the system, and to report on the findings to the Party and any affected campaign," Miranda continued.

"We have also instructed NGP VAN to conduct a full audit of the system to ensure the integrity of the data and the security of the system for the campaigns that use it, and to begin a review process with every campaign and user to ensure they understand and abide by the rules governing the use of the system," he added.

CBS News' Jacqueline Alemany, Nancy Cordes, Reena Flores, Hannah Fraser-Chanpong, and Alex Greco contributed to this report.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.