Updated on April 6, 2018 by UpGuard
Our recent discovery and analysis of publicly downloadable code repositories originating from data analytics firm AggregateIQ has answered a few questions, but raised many more. In Part One of “The AggregateIQ Files,” we explained how the data exposed from within this development repository appear to corroborate existing evidence and accusations that AggregateIQ and Cambridge Analytica, an embattled and highly controversial data firm, work closely together, on projects that appear customized for Cambridge Analytica clients like Texas Senator Ted Cruz.
In Part Two of “The AggregateIQ Files,” we take a closer look at how some of the exposed repositories reveal sensitive information about a number of political organizations in the United Kingdom, with a particular focus on AggregateIQ's apparent work on behalf of British groups active in the "Leave" campaign for the UK's momentous "Brexit" referendum.
In this report, we examine more closely a particularly important category of AIQ’s data set: code from several websites, each concerning a British political organization, party, or pressure group. Some of these entities are already known to have been AggregateIQ customers, and most of them were groups active in the successful “Leave” campaign in the run-up to the UK’s 2016 “Brexit” referendum, in which the country voted to exit the European Union. We shall describe this technical data, as well as highlight the more interesting bits each repository contains.
All of the following analyses describe data contained in AggregateIQ’s formerly publicly accessible code repositories. We have redacted specific references to the locations and hostnames of data stores, as well as credentials, keys, portions of email addresses, personal identities, and more at our discretion and where appropriate. UpGuard Inc. presents these findings as a good-faith analysis and technical contribution to the ongoing conversation around these matters, which concern matters of public interest - in the United States, Canada, the United Kingdom, and the European Union.
It should be noted that, beyond their inherent relevance to current events in the United Kingdom, a primary reason these findings are notable is the fact that typically source files are not accessible by regular visitors to various websites. Simply put, someone with administrative access to the web servers in question either uploaded these files to the AIQ GitLab instance themselves, or provided the files to someone at AIQ who then put them in these code repositories on their behalf - establishing some important links in the process.
Among the AggregateIQ repositories exposed in this breach are seven that concern British political organizations. Below are screen captures of some of them, within the greater AIQ development repository.
Let us now turn to the contents of each of these repositories.
Democratic Unionist Party (DUP)
The Democratic Unionist Party (DUP) is the largest unionist party in Northern Ireland, supported overwhelmingly by Northern Irish Protestants who favor continued union between Northern Ireland and the United Kingdom. The DUP represents Northern Irish constituents in both the Northern Ireland Assembly, a devolved legislature in Belfast administering much of the region’s affairs, and in the Parliament of the United Kingdom at Westminster, where the party currently serves in a coalition government with Prime Minister Theresa May’s ruling Conservative Party.
In the 2016 run-up to the Brexit referendum, the DUP campaigned in favor of the “Leave” movement, spending a large amount on the effort - including over thirty-three thousand pounds spent patronizing AggregateIQ’s services. The DUP repository exposed in the custom AIQ Gitlab, titled “Client-DUP-ActionSite,” once again contains HTML source code, this time for a segment of the DUP’s home webpage at www.mydup.com.
This source code is for a number of apparent “action sites” - landing pages built around a specific issue or candidate, each soliciting the web user’s name and email address to receive further updates. The code below, for a landing page featuring DUP politician Christopher Stalford, gives some idea of the appearance.
Also revealed in this repository is code for a similar landing page whose call to action is to “support the DUP’s pledge to deliver the best possible Brexit for Northern Ireland as part of a clean exit for the United Kingdom.”
This exposure of assets designed for the DUP’s website in the development repository of AggregateIQ comes at a time of public scrutiny about how the party came to hire AIQ, as well as about the party’s spending on AIQ’s services and whether it may have been coordinated with some of the other organizations mentioned in these repositories.
Veterans for Britain
Describing itself as “formed in March 2016 in order to put forward the Defence and Security arguments for the UK to leave the European Union in the 2016 Referendum,” Veterans for Britain is a pressure group consisting largely of UK military members and veterans which, besides campaigning for the successful “Leave” initiative, now operates to help influence the terms of Brexit’s defense provisions. Like the DUP, Veterans for Britain is already known to have been a customer of AggregateIQ, spending £100,000 with the data firm.
Exposed within the repository, which is titled Client-VeteransForBritain-Site, is a database dump and WordPress backup for the organization’s official webpage, located at the address veteransforbritain.uk. The administrator email for this website belongs to an AIQ employee found in many of the AIQ repositories, as seen below; his name has been redacted from his email address, but its origin from the AggregateIQ.com domain is still visible.
In the table listing those Wordpress users with administrative access to the site - granting them the ability to edit or post content on VeteransForBritain.uk - are three individuals. As seen below, the first user, whose name has been redacted, is the same aforementioned AggregateIQ employee who is the site administrator. The second user also has an AggregateIQ email address, and appears in other repositories. The third, however, has a non-AIQ email address, and is listed as being named “Will Carver.”
Media reports reveal that Captain William Carver, a veteran officer of the British Army, served as a spokesman for Veterans for the Britain in the runup to the 2016 referendum; a LinkedIn page under the name William Carver lists both the same military service and work with Veterans for Britain.
One function of the website code contained in this a donation mechanism for use by visitors to VeteransForBritain.uk, powered by the commonly used provider Stripe. A Stripe secret key is present along with the code used on the site to process payments, opening the possibility of a breach had a malicious actor encountered the credentials.
The site’s content which had been visible to users contained multiple pieces of collateral in the form of .PDF files, in the form of political flyers and other printed materials. Finally, also of note in the above image is the website’s timezone: “America/Vancouver,” the same timezone used by British Columbia-based AggregateIQ.
Perhaps the most important of the pro-Brexit organizations exposed in this breach, the UK Electoral Commission designated Vote Leave as the official organization for those campaigning in favor of Brexit in the lead-up to the 2016 referendum. As such, Vote Leave attracted some of the most notable pro-Brexit figures in British politics, including former Mayor of London and current Foreign Secretary Boris Johnson, as well as his current peer in the Prime Minister’s Cabinet, Secretary of State for Environment, Food, and Rural Affairs Michael Gove.
Their AIQ repository, titled “Brexit-sync-master,” contains a number of scripts for processing data apparently customized for VoteLeave.uk. The scripts include tools for buildings lists of people whose information has been gathered online and for contacting them, with exposed fields including voter email addresses, home addresses, and phone numbers. While no actual voter data is included in this repository, these scripts would need to be loaded with such information in order to be operated.
As seen in the image below, the scripts are capable of pulling from a file titled “nbuild_voteleave.signups” to analyze “contactable supporters” across a variety of factors, including which email Vote Leave already possesses about them. Of particular note is a script titled “Contactables labeled AIQ,” a clear reference to AggregateIQ but one of which the significance or meaning remains unclear.
Also contained are operations on what are called “contactables” - likely referring to individuals who have not specifically opted out. Some areas have references that suggest analytical heft, such as one for updating a store of “voter intentions.” A number of credentials to other linked web assets are also exposed in the repository, as is an email used by one of the aforementioned AIQ employees commonly found to have done work on the repositories.
In one area, a script exists to identify areas of Britain with hospital closures, tying these regions to specific postcodes.
Vote Leave’s campaigning efforts often employed National Health Service funding issues as a common talking point in favor of their pro-Brexit efforts, as embodied in the memorable slogan “Give our NHS the £350 million the EU takes every week.”
Change Britain is a successor organization to Vote Leave, established by the same principal leaders with the goal of influencing the terms of a Brexit agreement, now being negotiated between the European Union and Prime Minister May’s Cabinet. AIQ’s repository contains a WordPress backup of their official website, changebritain.org. From this backup we are able to see information regarding who created the site and when.
In the wp_users table, a significant user list exists. Redacted towards the top are the names and email addresses of a web developer and web designer, both based in AggregateIQ’s home province of British Columbia. Also listed are two aforementioned AggregateIQ employees frequently found in the repositories, logged with AIQ email addresses. Of greater significance is the presence of AggregateIQ co-founder Jeff Silvester as a user for this website, along with a number of UK figures significant to the pro-Brexit movement.
Chloe Westley, another one of the users listed here, is also the name of a prominent activist and Vote Leave campaign worker. Westley’s Twitter biography describes her as a “Former @Vote_Leave staffer,” while her LinkedIn lists her final role with the group as its “Head of Campaigns.” Two other figures are listed as users, both with email addresses registered at the ChangeBritain.org domain. The first, Edward Oldfield, matches the name of a LinkedIn user who lists stints as a Researcher and Campaign Coordinator with Change Britain. The second, Caroline Badley, matches the name of a former Labour Party councilor in Birmingham, England, who multiple media reports indicate served as campaign manager for former Labour Member of Parliament Gisela Stuart. Stuart served as the co-chair of the Vote Leave organization, alongside Michael Gove.
Taken together, the users table indicates administrative access to the Change Britain website was shared by a co-founder of AggregateIQ, two AIQ employees, two nearby web contractors, two Change Britain associates, and, most likely, a former Vote Leave staffer. Each of these user accounts, besides being listed alongside their email addresses, are also listed next to the account’s hashed password - which, if decrypted, could be used to access the user accounts. These passwords have been redacted in the image.
This repository is large, containing a larger amount of data - mostly data relating to content posts. The use of an application called PHP Mailer, however, and its administration by AIQ employee emails, points to another site function.
One functionality the site code offers is the ability for visitors to send a form email to their Member of Parliament, using suggested language supplied by Change Britain to urge MPs to “commit to voting unconditionally for Article 50” - the provision enabling member states to exit the European Union.
Besides such information, however, are sensitive credentials left exposed to anyone accessing the publicly downloadable repo. The API ID, secret key, token, and password for Change Britain’s account on NationBuilder, a voter data platform known to have been used by pro-Brexit groups, was left exposed in the code.
This is another WordPress website and database backup, for a website that emerged very shortly after the Brexit referendum was held and then-Prime Minister David Cameron announced his plans to resign. The website, Gove2016.com, was registered with an email username known to have been used elsewhere by an aforementioned AIQ employee found throughout the repositories.
Simply put, the website was designed to advance the candidacy of Michael Gove, the Vote Leave co-chair, for leadership of the Conservative Party. User data below indicates the AIQ user gained administrative access on June 30th, 2016, the same day Gove announced his candidacy.
In addition, a second user was added on July 2nd, 2016, under the name “Sam Frost” - a name also listed in Vote Leave’s official document listing its headquarters staff, as a former United Kingdom Independence Party staffer working for the campaign as a “digital officer.”
This second user account then began posting content to the webpage, revolving around Michael Gove and his case for becoming the next Tory leader.
The updates would continue until Theresa May prevailed over Gove in the leadership race on July 8th.
Billing itself as “promot[ing] and protect[ing] rural life at Parliament, in the media and on the ground,” the Countryside Alliance is a nonpartisan, nonprofit organization devoted to advancing causes and issues of particular importance to rural Britain. The repository named for Countryside Alliance within the AggregateIQ custom Gitlab contains HTML source code for a website at “action.countryside-alliance.org” which would have prompted visitors to supply their email address to receive further updates from email@example.com. The web address “www.countryside-alliance.org” is the authentic homepage for the organization.
Also exposed within the source code are apparent credentials for administering the email mechanism, as shown in redacted form below.
The repository also contains an email template for messages from Tim Bonner, the group’s leader.
The Countryside Alliance did not campaign on either side of the Brexit campaign, unlike the other UK organizations whose web assets appear exposed in this repository, and, as far as our research has shown, does not thus far appear to be publicly known as an AggregateIQ customer.
Brexit My Polling Station
A standalone site, or perhaps a subdomain of a VoteLeave website, designed to point voters toward their closest polling place. The code for this site uses aboutmyvote.co.uk’s government-provided data to display the querying visitor’s closest polling place, and is rather simple in design.
Taken in full, the repositories named for Vote Leave, the DUP, Gove 2016, Change Britain, and Veterans for Britain provide a detailed look into web assets produced by AggregateIQ on behalf of a wide array of pro-Brexit groups and figures (Update 4/2/2018: Per a request from its Chief Executive, the Cyber Risk Team would like to reiterate that unique among the other organizations, the nonpartisan Countryside Alliance did not take an official stance or publicly campaign on behalf of Brexit, as already mentioned in the section above. Chief Executive Tim Bonner states their work with AggregateIQ was brief and occurred a year after the Brexit referendum. Metadata of the files contained in the repository titled for Countryside Alliance provide a "last modified date" of July 6, 2017 at 3:23 pm, likely reflecting when they were backed up to AggregateIQ's data repository). These repositories are rife with exposed credentials, tokens, and passwords which, in the hands of a malicious actor encountering these entirely publicly accessible sites, could have exploited them to criminal effect, perhaps exposing any collected data stored in any active databases to misuse. If any of these organizations were storing data about voters who consented to receive updates in such a database whose credentials were exposed, it could have opened the potential for an even graver data breach.
One regime of European Union laws that all non-member states will still be subject to will be the EU’s General Data Protection Regulation, which will come into effect in late May. The GDPR creates stiff penalties for any exposure of personally identifiable information about a citizen of the EU, mandating rapid reporting of any breach by the affected entity and enabling massive fines in the event of an exposure. Even should the UK leave the EU, GDPR will still govern the personal information of any such citizens whose information passes through the systems of British enterprises.
It remains to be seen how these revelations of AggregateIQ’s work with this network of organizations will be met in Great Britain, but taken together, the “Brexit files” within the AIQ development repository are a stark reminder that even the most technologically advanced kinds of data are not immune from insecurity or human error.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.