There’s more on data discovered in an online breach by AggregateIQ: information tying the obscure Canadian company to pro-Brexit organizations and their activities in the United Kingdom.
Analysis by the firm UpGuard reveals that AggregateIQ did a significant amount of work on behalf of groups active in the “Leave” campaign for the United Kingdom’s infamous and controversial “Brexit” referendum to make an exit from the European Union (EU), according to a blog post by the California firm.
Last week Upguard research director Chris Vickery made public information uncovered from online data repositories belonging to AggregateIQ that he stumbled upon online. That data suggested a link between AggregateIQ and the strategy and activity of Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL). The initial revelation about the information he found focused on links to the U.S. Republican party and their candidates and interests in 2016 elections.
The latest analysis suggests that AggregateIQ was influential in the campaign for “Brexit,” as well – a significant election with conservative political interests across the pond, according to another blog post by Upguard. In particular, the post reveals code from several websites, each concerning a British political organization, party or pressure group connected to the “Leave” campaign in support of Brexit. Some of the entities also already had been identified as AggregateIQ customers.
[You might also want to read: For Facebook’s Stamos, conflicts over breaches and disclosure a theme]
Vickery’s discovery sheds new light on just what the company’s role in Brexit may have been, though it does not conclusively show any clearly illegal activity by AggregateIQ as related to the Brexit referendum. In recent days, AggregateIQ has come under scrutiny for its role in the Brexit vote and for allegations that the group helped disparate Brexit campaigns coordinate their activities in contravention of UK campaign laws.
Software and assets for pro-Brexit groups
In light of that, UpGuard’s latest research is suggestive. The leaked repositories show that AggregateIQ provided software and other Web assets for seven entities in Britain that backed the referendum giving voters the choice for Britain to leave the EU: the Democratic Unionist Party (DUP), Veterans for Britain, Vote Leave, Change Britain, Gove 2016, Countryside Alliance and Brexit My Polling Station.
“Taken in full, the repositories named for Vote Leave, the DUP, Gove 2016, Change Britain and Veterans for Britain provide a detailed look into web assets produced by AggregateIQ on behalf of a wide array of pro-Brexit groups and figures,” according to the blog post.
Links to the Vote Leave Group
Vote Leave is the most significant of the organizations cited in the data because of its position as the officially designated organization for those campaigning in favor of Brexit in the run up to the 2016 referendum, according to the post. Former mayor of London and current U.K. Foreign Secretary Boris Johnson as well as the current Secretary of State for Environment, Food and Rural Affairs Michael Gove were members of Vote Leave.
The data revealed that an AggregateIQ repository titled “Brexit-sync-master” includes a number of scripts for processing data that was customized for VoteLeave.uk.
The scripts include tools for buildings lists of people whose information has been gathered online and also for contacting them, with exposed fields that show voter e-mail addresses, home addresses and phone numbers, according to Upguard. While the repository shows no actual voter data, that type of information would be needed in order for the scripts to be operated, according to the post.
The data also shows that AggregateIQ had administrator privileges for the website of Veterans for Britain—known to be one of their customers and a pressure group comprised mainly of U.K. military members and veterans. The group not only campaigned for the successful Leave initiative but also now operates to help influence the terms of Brexit’s defense provisions, according to Upguard.
A repository called Client-VeteransForBritain-Site includes a database dump and WordPress backup for the organization’s official Web page. Administrator email for the website belongs to an AggregateIQ employee found in many of the repositories, Upguard said.
Present-day activities and potential ramifications
AggregateIQ also appears to be involved in present-day activities surrounding the terms of a Brexit agreement through a connection to Change Britain–the successor organization to Vote Leave–that the data stores revealed, according to UpGuard.
The same principal leaders of Vote Leave established Change Britain to influence the terms of a Brexit agreement, which is now being negotiated between the European Union and Prime Minister Theresa May’s Cabinet. AggregateIQ’s repository contains a WordPress backup of their official website, which revealed that the site’s W
It remains to be seen what, if any, action will be taken in Britain regarding these new revelations that show AggregateIQ’s close connection to key proponents of the Brexit vote and what potentially could be a misuse of data regarding its work for these entities, UpGuard said.
One new law that could affect the company is the EU’s General Data Protection Regulation (GDRP), which will come into effect in late May.
The information in the repositories showed data of a sensitive nature that could potentially have been exploited or misused for nefarious purposes, according to UpGuard. “These repositories are rife with exposed credentials, tokens and passwords which, in the hands of a malicious actor encountering these entirely publicly accessible sites, could have exploited them to criminal effect, perhaps exposing any collected data stored in any active databases to misuse,” according to the post. If any of these organizations were storing data about voters who consented to receive updates in a database with exposed credentials, the potential for a serious data breach was certainly a possibility, UpGuard added.
Though voters elected to leave the EU, the United Kingdom will still be subject to the GDRP, which “creates stiff penalties for any exposure of personally identifiable information about a citizen of the EU, mandating rapid reporting of any breach by the affected entity and enabling massive fines in the event of an exposure,” according to the blog post.