Updated on April 28, 2018 by UpGuard
The UpGuard Cyber Risk Team’s discovery and analysis of an exposed data repository belonging to AggregateIQ (AIQ), a British Columbia-based data firm, has taken readers around the globe, implicating a number of high-profile political customers in a number of countries. Part One of “The AggregateIQ Files” offered an exclusive look at how exposed technical tools designed for the presidential campaign of Senator Ted Cruz (R-TX) shed light on AIQ’s relationship with Cambridge Analytica - an embattled analytics shop recently revealed to have misused data from 87 million Facebook user accounts. In Part Two, we examined how the repository’s contents revealed AIQ’s work on behalf of a variety of political pressure groups in the United Kingdom - most of them heavily involved in the successful 2016 effort to vote to leave the European Union. In Part Three, we took a closer look at the tools revealed to have been built and stored in the unsecured repository - technical mechanisms capable of highly sophisticated tracking and microtargeting of individuals across the internet.
In this installment, Part Four of “The AggregateIQ Files,” we return to examine data revealed in the exposure showing AIQ’s involvement in political efforts closer to its home base of Victoria, British Columbia. While AggregateIQ’s work on behalf of a number of Canadian politicians is already known, this data provides clear insight into what specific assets were built and possessed by AIQ for their clients, along with previously unreported information - including about exposed credentials and passwords.
It has been with some astonishment to the residents of picturesque Victoria, British Columbia, that AggregateIQ - a small data firm of “about half a dozen employees,” headquartered on the city’s Market Square - has emerged as a central player in an international news story stretching from London to Silicon Valley. With more evidence emerging of its close ties to Cambridge Analytica, the political analytics company currently under investigation for its harvesting of data from over 87 million Facebook user accounts, AggregateIQ is being scrutinized by organizations around the world. While the UK’s Parliament and Information Commissioner’s Office have already been scrutinizing AIQ over its work in the pro-Brexit movement, Facebook, under congressional fire, suspended the company from its platform, citing AIQ’s documented ties to Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL).
Closer to home, both AggregateIQ and Facebook are now being investigated by provincial and federal regulators in Canada, which are broadening their inquiries into whether either company breached privacy laws. With this rising level of attention, Canadian politicians who patronized AggregateIQ have increasingly come forward, disclosing and detailing their relationships with the embattled company. This is a trend to be lauded. As regulators and elected officials investigate AggregateIQ’s work, the company’s connections to Cambridge Analytica and SCL, and whether there is any connection to broader misuse of personal data around the world, there is clearly a public interest for Canadians to learn more about the services AggregateIQ provided within Canada. Indeed, doing so is also in the best interest of any Canadian politicians who employed AIQ for entirely legitimate and mundane political services, and who now face reputational damage through no fault of their own for AIQ’s other activities.
The exposure of a code repository maintained by AggregateIQ, which was discovered by the UpGuard Cyber Risk Team and then secured, may shed some light on these issues, and perhaps help to protect both the Canadian electorate and politicians who hired AIQ for data services. Within this code warehouse are a number of repositories named for specific politicians and parties, with each listed as a client. These repositories largely contain code base for the construction of websites by AIQ employees, in a structure very similar to those repositories maintained for a number of UK political organizations elsewhere in the larger warehouse. Exposed among this data are credentials, tokens, and passwords that could potentially have been used for the unauthorized access of more information.
Let us now turn to each repository concerning a Canadian political figure or party.
Todd Stone is a Member of the Legislative Assembly of British Columbia, a provincial-level legislature, and member of the British Columbia Liberal Party, a centre-right political group in the province. While Stone currently serves as his party’s Official Opposition Critic for Municipal Affairs in the Assembly, in February 2018 he ran for the position of leader of the BC Liberals, and was eliminated on the third ballot.
In January 2018, it was revealed the Stone campaign had retained the services of AggregateIQ in advance of this leadership bid, drawing some scrutiny due to the firm’s advertised work on the Brexit campaign and subsequent investigation by British regulators. Stone campaign spokesman Stephen Smart described AIQ’s work as “maintaining and marketing ‘digital campaign assets’ for Mr. Stone in the leadership race, adding: ‘Our campaign maintains complete control of all voter and supporter information that is gathered through the use of these digital tools.’”
AggregateIQ’s work on behalf of Stone would, however, draw controversy in the run-up to the leadership election, as over 1,300 new party members signed up by the Stone campaign were eliminated by auditors. As explained by a Stone spokesman, “AggregateIQ...created domain names and email portals to attach email addresses to new members, who were mainly Chinese Canadians in Richmond and Indo-Canadian residents in Surrey.” By creating these emails en masse for new members lacking such accounts, AIQ’s work “could have theoretically allowed the Stone campaign to control registration on behalf of those members,” a rules violation that resulted in their elimination by BC Liberal officials.
Revealed in the AIQ repository are what appears to be some of those digital tools, stored across four repositories bearing Stone’s name. “Client-Todd Stone-Site” contains two folders, “donate.toddstone.ca” and “toddstone.ca,” both of which reference an official campaign website that is still active. Contained within these folders are web assets that appear to be identical to those used on the website.
With the donation subdomain on the site is still live, the folder “donate.toddstone.ca” contains assets that appear to match those used on the site, including an html header for “toddstone.ca/donate,” scripts for the donation tool used on the site, and code for confirmation screens displayed after a successful donation. Of greatest interest, however, is code containing an exposed secret key for a Stripe payment processing account used to receive donations to the Stone campaign, raising the possibility that anyone viewing this publicly accessible data repository could have gained unauthorized access to this account.
Exposed Stripe credentials within the Stone repository.
The other main folder in the repo, “Toddstone.ca,” contains more code for donations on the site, including a vision of what a successful donor would see by way of confirmation.
The confirmation message that would be seen by Stone donors.
A folder titled “Assets” contains photos of Todd Stone, including the header image used atop the “toddstone.ca” webpage (shown below), as well as images for use in social sharing of the site.
An image of Stone contained in the repository and used on his website.
The second relevant repository, “Client-ToddStone-Assets,” is a small one containing more scripts and images of this type, such as the logo used on the website (shown below).
An image in the repository.
Another repository, titled “Client-ToddStone-Events,” contains what appears to be code for event management software, and includes an input for emailing addresses. Code in the file app.class.php also reveals that this information is posted back to an account on NationBuilder, a website offering users grassroots political campaigning technology.
The code for managing events.
The final relevant repository, “Client-ToddStone-Reports,” contains a number of internal assets and scripts with utility for reporting purposes. The file “voters.sql” provides the schema for managing a voter database; while no actual voter data is stored within, you can see how such information would be organized, collecting voter names addresses, phone numbers, and information such as whether they are campaign volunteers or have opted to not receive phone calls.
Some of the code, including for data fields, within "voters.sql."
Elsewhere, in a folder titled “Webroot,” are a number of other interesting assets, some connecting to external services and other known AIQ projects. While the scripts stored in a sub-folder titled “Monarch” appear to be relatively benign - apart from an exposed database password - and are designed to analyze the number of supporters registered and voting by riding, the cache’s name bears some significance. “Monarch” is also the name of the suite of AIQ tools used to track individual behavior online; its exact relationship to this code, if any, is unclear. A filetitled “constituency-stats.json” provides further computing power for tabulating supporters across British Columbia constituencies.
A subfolder titled “Nationbuilder” contains scripts bearing exposed tokens, with its name indicating its possible utility in accessing an external account on Nationbuilder, the aforementioned voter data platform previously found in other AIQ repositories. The code contained in the “Nationbuilder” subfolder appears to provide more ways of analyzing voter data, noting the personal details and behavior of individual voters, such as whether they are a supporter and to what degree.
Some of the "nationbuilder" code.
Finally, a subfolder titled “Zack” contains clear references to Zack Massingham, co-founder of AggregateIQ.
Code for a report within the subfolder "Zack."
The code appears designed to transmit a report summarizing the totals on “members” and “supporters” collected elsewhere.
Like Todd Stone, Mike de Jong is a Member of the Legislative Assembly of British Columbia who, in 2018, entered the race to succeed Christy Clark as leader of the BC Liberal Party and ultimately lost to fellow MLA Andrew Wilkinson. Unlike Todd Stone, however, de Jong did not hire AggregateIQ for that leadership race, after using the firm for his successful 2017 reelection campaign to the Legislative Assembly.
Contained within the two repositories titled with de Jong’s name are a number of assets that appear related to his campaign website for the 2017 reelection campaign, located at mikedejong.com (now offline). The repository “Client-MikeDeJong-Site-Master” contains a backup of this WordPress website, as well as a number of sensitive certificates exposed in the files.
The folder “Keys” contains these aforementioned certificates, perhaps for use with the website. The file “Mikedejong.com.pem” is a certificate encoded in the Privacy-enhanced Electronic Mail (PEM) format. An encoded key titled “Mikedejong.com.csr” appears to be that of a certificate signing request, used to create an SSL certificate for a website. Of perhaps gravest importance is “Mikedejong.com.key,” the private key used with a csr file to request a certificate. The exposure of such a private key is a serious security breach, potentially compromising any relevant encryption.
The redacted private key titled "mikedejong.com.key."
WordPress backup files are also exposed in the folder “Webroot,” along with database access credentials left exposed in the wp-config.php code, seen below.
The exposed database access credentials within "wp-config.php."
An SQL backup, titled “mdj_wordpress.sql,” provides further insight into the content that appeared on www.mikedejong.com when it was live. As can be seen below, the content included familiar political language about de Jong’s work with constituents, as well as his personal biography.
Some of the website content revealed within "mdj_wordpress.sql."
Finally, as has been true of every WordPress backup found throughout the AIQ repositories, the users table shows AggregateIQ employees listed as the administrators - in this case, three of them, whose names repeat throughout many of the website backups. They are redacted below.
The WordPress users table. Note the AggregateIQ email addresses.
Finally, a second repository, titled “Client-MikeDeJong-survey-master,” is also present in the data leak, revealing code for surveying individuals, with apparent capabilities for plugging in questions and answers.
Some of the code within "Survey_finished.html."
Code in “Survey_finished.html” includes apparent confirmation message of survey as finished, with permission for Mike De Jong to contact user later on appropriate questions, as well as providing the user with the ability to share the survey on social media.
In May 2017, BC Liberal candidate Doug Clovechok won a seat in May 2017 to the province’s Legislative Assembly, defeating an incumbent from the New Democratic Party (NDP). AggregateIQ assisted Clovechok in this campaign.
The repository “clovechok-site-master” contains what appears to be a WordPress backup for his website, http://dougclovechok.ca, a URL which now redirects to http://dougclovechokmla.ca/. As with other Wordpress backups for Canadian politicians, these folders show that two Aggregate IQ employees were site administrators, as seen below in an image taken from database_dump.sql.
The WordPress users table.
The Wordpress “uploads/2017” folder has subfolders named 03, 04, 05, 06, suggesting that assets were added between March and June of 2017. Most of the assets in these folders are pictures of Clovechok as a candidate, but one exception is “Trump-softwood.jpg,” used on the page http://dougclovechok.ca/landing_pages/dont-let-trump-bully-us-on-softwood-lumber, presumably in reference to Donald Trump’s tariff on Canadian softwood.
The Trump image contained in the repository.
Elsewhere in the website backup, readers can see where this image was used - on a webpage criticizing the tariff and vowing the BC Liberal Party wouldn’t “let Trump bully us on softwood lumber!”
The code containing the Trump image, along with the content on behalf of the BC Liberals.
Finally, code in “tpl_jobs.html” shows the contents of an email message to be sent to voters.
The "tpl_jobs.html" message.
Other assets in the repository show PHP Mailer functionality for sending such messages.
Though David Calder was unsuccessful in his 2017 bid to represent the Saanich South riding for the BC Liberals in the Legislative Assembly, his past as an Olympic medalist in rowing marks him as a distinguished local citizen who may someday be elected to office. Along with de Jong and Clovechok, Calder is the third Legislative Assembly candidate for the BC Liberals who used the services of AggregateIQ in the provincial elections that year.
As with the other candidates, the repository “calder-site-master” contains a WordPress backup for a past iteration of his website, davidcalder.ca. Images in the “Uploads” subfolder reveal a number of graphics for use in campaigning.
An example of one of the images stored in the "Uploads" folder.
The file “database_dump.sql” reveals some of the content that appeared on this site, as seen below, describing Calder and his platform.
Some of the exposed code, containing website content about Calder.
The WordPress users table once again shows multiple AggregateIQ employees as the administrators.
The BC Greens are a distinct party which competes against the BC Liberals, the most frequent Canadian client of AggregateIQ seen in these repositories. As reported by Canada’s Global News, the Green Party of British Columbia “contracted AIQ in January 2016 to work on a new voter contact database and a website, but according to the party, the relationship ended by August of that year after it was determined that the project ‘was not meeting’ its priorities.”
This abortive partnership may explain why the projects revealed in the repository titled “green-payments-master” seem incomplete. Whereas other projects have web assets such as images of the candidates and content related to their campaign messages, the repository named for the BC Greens contains little more than the bare bones of code for processing online donations. In addition, the associated database was hosted locally, suggesting it may not have ever ultimately been deployed for public use. There are files to to make API calls to a payment processor, Helcim, and send emails via SendGrid, as well as various related requirements like processing cancellations or recurring payments. As with other projects, there are exposed credentials, such as the API token for the payment provider, that should be kept private due to their potential for abuse.
Config.php with credentials exposed.
One interesting note is the use of the function name “pillar” in payment.class.php. Elsewhere in AIQ’s Gitlab instance, “Pillar” is the name of a campaign management application which appears to be an improved version of Ripon, which was sold to the 2016 US presidential campaign of Senator Ted Cruz. The BC Green repository contents has no signs of integration with that project and, as mentioned, shows only the rudimentary scripting for a payment system. It remains unclear exactly what relationship might exist between the Pillar project and this code, where the “pillar” function maps data from one object to another, with comments (seen in the below image on the greyed out lines beginning with //) that may indicate plans for future development.
Payment.class.php with usages of “pillar” that have no apparent integration with AIQ’s other project named Pillar.
That this project was developed by Aggregate IQ is not in question. The file donate-endpoint.php uses an aggregateiq.com address, and the name of one of AIQ’s developers recurs throughout.
Donate-endpoint.php contains script which includes an AIQ URL and a token.
Request.test.html shows a test with a developer’s first name.
This folder contains a Wordpress backup for a website configured to run at the web address andywells.ca, loaded with assets related to a longtime Canadian political figure. Unique among the other Canadian politicians found throughout the repository, Andy Wells is not from British Columbia, but from Newfoundland and Labrador, where he served as mayor of the city of St. John’s from 1997 to 2008. Wells also ran unsuccessfully again for mayor of St. John’s in 2017, and it appears to be assets from this campaign that populate the repository bearing Wells’s name.
At the top level of the “Client-AndyWells-Site” folder are two items of interest: a file, “wordpress.sql,” that is a 6.3 MB WordPress backup of the website “www.andywells.ca,” and a folder titled “webroot.”
As seen in many of the other repositories, the website backup includes a large amount of boilerplate Wordpress code, as well as customization indicating its utility for andywells.ca and its administration by AIQ employees.
The statement seen below writes to a table called “wp_options” used to configure the website. Here we see the address, www.andywells.ca, alongside an administrator with an @aggregateiq.com email address.
The table "wp_options."
The wp_users table shows additional AIQ staff being added to the database. The timestamps are the “user_registered” dates; the first user’s registration was in October 2016, the second in March 2017.
The "wp_users" table.
The folder “webroot” contains code and assets for the website. In the folder path “wp-content/uploads/” there are two folders, “2016” and “2017.” In “2016” there is a folder named “10, and in “2016” there are folders named “03,” “08,” and “09”– a naming convention that normally is a function of the month of upload for Wordpress sites. All of these folders contain images, as is the purpose of content upload folders.
In “2016/10” the assets names describe their purpose. Some of them begin with “action” followed by the action which they would presumably be intended to drive. Others are images of Andy Wells himself.
Some of the image assets exposed.
There are also further images with names related to “survey.”
In “2017/08” and “2017/09” more pictures of Wells are present, along with additional stock images. One set, titled “AndyWells-Mail-in-ballot-POINTS,” may refer to other AIQ systems where users earn “points” for certain behaviors, a tool used to further refine targeting.
Another exposed image file.
One of the files that departs from generic Wordpress code is the report.php file located at Client-AndyWells-Site/webroot/submit/report.php. This file appears to provides the capability to a report on contacts gathered from andywells.ca, and to provide such reporting for AIQ’s Zack Massingham.
In particular, this code this generates a report about “surveys,” which suggests a connection to the surveys mentioned above in various asset names. The code in this file reads from the log of forms submissions (the file “form_submits.log") then makes use of a comma separated value file named “andy_contacts_.” This file provides the code to generate a report on people who have submitted a survey through the site. As it is application code, not a data store of those submissions or log of activity, there is no indication of whether any people submitted these forms. What is clear that code was written to support reporting on such submissions for this website, readable for the aforementioned AIQ administrator.
The exposure of these repositories is significant for a number of reasons, but perhaps most obvious regards this question: how were web assets for a number of Canadian public servants, designed by a third-party vendor and including such sensitive information as wholly exposed access credentials, made available to anyone entering a web address? The scenario of a malicious actor finding this publicly downloadable data warehouse and using these access credentials to penetrate further into any information gathered into them is all too plausible.
The potential misuse of any directly or indirectly exposed data emanating from these repositories would certainly be grave. Though public anger may be directed in their direction, it must be noted that the politicians and parties described in this report may be victims as well. With their web assets exposed due to the error of AggregateIQ, a campaign vendor hired to build websites and technical tools, these politicians have suffered from the effects of third-party vendor risk, in which the sharing of information with an insecure partner leads to a digital backlash affecting all parties. Due to a dangerous configuration on the part of the AIQ, this data leaked - an occurrence likely beyond any control or knowledge of the customers affected within. Whether a political operative, private figure, or corporate leader, anyone hiring a firm with which they will share sensitive information must put processes in place to ensure their data will be processed securely.
Finally, given AggregateIQ’s documented ties to Cambridge Analytica, as well as its parent company, Strategic Communication Laboratories, and its reported work on the Brexit referendum, there is a significant public interest in learning more about how AggregateIQ secures its data, and what data it possesses. The intersection of elected officials with companies accused of playing fast and loose with data privacy is a mounting concern around the world. By informing the public, we hope to further enable citizens to make up their own minds, and secure their own data as well as possible against misuse.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.