Democratic National Committee
December 18, 2015   rec'd 1:14 PM

Statement by DNC Chair on Sanders Data Breach

WASHINGTON - DNC Chair Rep. Debbie Wasserman Schultz issued the following statement today:
 
"Earlier this week, an incident briefly allowed users on the NGP VAN system to inadvertently access some data belonging to other campaigns. During this window, over the course of approximately 45 minutes, staffers of the Bernie Sanders campaign inappropriately accessed voter targeting data belonging to the Hillary Clinton campaign. At no point were financial information, donor records, or volunteer data exposed. 
 
"We consider the security of the NGP VAN system and the integrity of the data it contains a top priority. The error in the VAN software was fixed immediately, and we have been reassured by NGP VAN that the incident did not expose any data to the public or any external entity. This is an isolated incident resulting from a vendor software patch, not a hack, and the users who accessed data were secure users. All VAN data is now secure.
 
"Upon being made aware of the situation, the DNC immediately directed NGP VAN to conduct a thorough analysis to identify any users who may have accessed data inappropriately and pinpoint exactly what actions any such users took in the system, and to report these findings to the DNC. Further, the DNC has directed NGP VAN to begin a review process of their internal procedures to identify how this mistake was allowed to happen and prevent further such mistakes. In addition to this full and complete internal audit which we have instructed NGP VAN to conduct, we are also beginning the process of securing an independent audit by a data security firm of the company’s procedures.
 
"Once the DNC became aware that the Sanders campaign had inappropriately and systematically accessed Clinton campaign data, and in doing so violated the agreement that all the presidential campaigns have signed with the DNC, as the agreement provides, we directed NGP VAN to suspend the Sanders campaign's access to the system until the DNC is provided with a full accounting of whether or not this information was used and the way in which it was disposed. I have personally reached out to Senator Sanders to make sure that he is aware of the situation. When we receive this report from the Sanders campaign, we will make a determination on re-enabling the campaign's access to the system. 
 
"We are working with the Sanders and Clinton campaigns and NGP VAN to establish all of the facts and move forward as quickly as possible. Our primary goal at this moment is to ensure the integrity of the data so that the campaigns -- and the entire Democratic Party -- can continue the important work we do of connecting with voters on the issues that matter most to them and their families."
 
###

Bernie 2016, Inc.
December 18, 2015   rec'd 1:21 PM
Contact: Michael Briggs

Statement by Jeff Weaver, Bernie Sanders 2016 Campaign Manager

Two months ago, shortly after our digital vendor who conducts modeling for our campaign told us that there was failure in the firewall that prevents campaigns from seeing one another's data, we contacted the DNC and told them about the failure. We were concerned that our data could be compromised and we were assured at the time the firewall would be restored.

Instead, we found out two days ago that once again, this sensitive and important data was compromised because the DNC and its vendor failed to protect it.

We have invested enormous campaign resources in acquiring the rights to use this proprietary information. But the DNC, in an inappropriate overreaction, has denied us access to our own data.

Let me briefly discuss the three issues involved here.

First, this is not the first time that the vendor hired by the DNC to run the voter file program, NGP VAN, has allowed serious failures to occur. On more than one occasion, they have dropped the firewall between the data of competing Democratic campaigns. That is dangerous incompetence. It was our campaign months ago that alerted the DNC to the fact that campaign data was being made available to other campaigns. At that time our campaign did not run to the media, relying instead on assurances from the vendor that the problem would be resolved. Unfortunately, the other day, the vendor once again dropped the firewall between the campaigns for some data.

Secondly, after discussion with the DNC it became clear that some of our staffers irresponsibly accessed some of the data from another campaign. That behavior is unacceptable to the Sanders campaign and we fired the staffer immediately and made certain that any information obtained was not utilized. We are now speaking to other staffers who might have been involved and further disciplinary action . Clearly, while that information was made available to our campaign because of the incompetence of the vendor, it should not have been looked at. Period.

Thirdly, rather incredibly, the leadership of the DNC has used this incident to shut down our ability to access our own information, information which is the lifeblood of any campaign. This is the information about our supporters, our volunteers, the lists of people we intend to contact in Iowa, New Hampshire and elsewhere. This is information that we have worked hard to obtain. It is our information, not the DNCs.

In other words, by their action, the leadership of the Democratic National Committee is now actively attempting to undermine our campaign. This is unacceptable. Individual leaders of the DNC can support Hillary Clinton in any way they want, but they are not going to sabotage our campaign - one of the strongest grassroots campaigns in modern history.

We are announcing today that if the DNC continues to hold our data hostage, and continues to try to attack the heart and soul of our campaign, we will be in federal court this afternoon seeking an immediate injunction.

What is required here is a full and independent audit of the DNC’s handling of this data and its security from the beginning of this campaign to the present, including the incident in October that we alerted them to.
 
###
Hillary for America
December 18, 2015    rec'd 3:36 PM

Hillary for America Statement on Breach of Campaign’s Voter Data

Hillary for America National Press Secretary Brian Fallon released the following statement on the breach of the campaign’s data revealed today.
 
“We were informed that our proprietary data was breached by Sanders campaign staff in 25 searches by four different accounts and that this data was saved into the Sanders' campaign account. We are asking that the Sanders campaign and the DNC work expeditiously to ensure that our data is not in the Sanders campaign's account and that the Sanders campaign only have access to their own data.”
 
###


Ed. note: The DNC's referral to the "Sanders Data Breach" is interesting, since it looks more like a DNC/vendor data breach that the Sanders campaign happened upon.  Attorneys for the Sanders campaign did indeed go to the U.S District Court in the afternoon seeking an injunction agains the DNC, claiming that the campaign was "sustaining irrrepable injury and financial losses" due to the DNC's violation of its agreement on the use of the NGP VAN voter file data.  See Bernie 2016, Inc. v. DNC [PDF]


Hillary for America
December 18, 2015    rec'd 8:57 PM

Hillary for America Statement In Response to Possible Court Resolution Of Sanders Lawsuit Tonight

In response to Senator Bernie Sanders' presidential campaign's expected appearance before a federal judge as soon as tonight, Hillary for America press secretary Brian Fallon released the following statement expressing its hope for a swift resolution in this matter:
 
"We hope that the court will resolve this matter tonight and the Sanders campaign has access to their voter files right away, with adequate protections of our proprietary information, which we understand could be completed in short order.  
 
"As we stated earlier today, we also want a full, independent accounting of the Sanders campaign's actions, as well as assurances that no data or strategic insight from this act of intrusion will be used by his campaign.  This was an egregious breach of data and ethics." 
 
 
###

Bernie 2016, Inc.   rec'd 12:19 AM
December 19, 2015
Contact: Michael Briggs

DNC to Restore Sanders Campaign's Access to Voter Files

WASHINGTON – The Democratic National Committee on Friday capitulated and agreed to reinstate Sen. Bernie Sanders’ campaign’s access to a critically-important voter database.

The about face came late on Friday night as a deadline neared for a hearing on a motion for an emergency injunction which the Sanders campaign sought after he sued the party in U.S. District Court in Washington.

The lawsuit sought the "immediate restoration" of the campaign's access to the voter database. It argued that without the database, the campaign would lose some $600,000 a day in donations.

The campaign’s access to the database should be restored by Saturday morning in time for the campaign staff and volunteers to contact voters over the weekend.

“We are extremely pleased that the DNC has reversed its outrageous decision to take Sen. Sanders’ data. The information we provided tonight is essentially the same information we already sent them by email on Thursday,” said Jeff Weaver, Sanders’ campaign manager.

“Clearly, they were very concerned about their prospects in court. Now what we need to restore confidence in the DNC's ability to secure data is an independent audit that encompasses the DNC's record this entire campaign. Transparency at the DNC is essential. We trust they have nothing to hide,” Weaver added.

The DNC decision to let Sanders use his own database came after the national party was barraged with outraged messages from grassroots supporters of Sanders. There were more than 214,800 people who signed an online petition to the DNC circulated by Sanders’ campaign. MoveOn.org collected another 250,000 petition signatures and Democrats for America collected 100,000.

Earlier on Friday, Democracy for America issued a statement from Executive Director Charles Chamberlain saying, “The Democratic National Committee's decision to attack the campaign that figured out the problem, rather than go after the vendor that made the mistake, is profoundly damaging to the party's Democratic process. DNC leaders should immediately reverse this disturbing decision before the committee does even more to bring its neutrality in the race for President into question.”
 
-###-

Democratic National Committee
For Immediate Release
December 19, 2015   rec'd 12:20 AM

DNC Chair Statement on Voter File Access

Today, DNC Chair Rep. Debbie Wasserman Schultz issued the following statement:
 
“The Sanders campaign has now complied with the DNC’s request to provide the information that we have requested of them. Based on this information, we are restoring the Sanders campaign’s access to the voter file, but will continue to investigate to ensure that the data that was inappropriately accessed has been deleted and is no longer in possession of the Sanders campaign. The Sanders campaign has agreed to fully cooperate with the continuing DNC investigation of this breach. The fact that data was accessed inappropriately is completely unacceptable, and the DNC expects each campaign to operate with integrity going forward with respect to the voter file.
 
The DNC has worked hard to build a state-of-the-art voter file that will help us elect Democrats up and down the ticket in November and beyond, and we will continue to work with our vendor to ensure that a breach of this nature never, ever happens again and that our data is secure.
 
We are glad that all parties are moving forward and that the candidates and the party can refocus on engaging voters on the issues that matter to them: building on the President’s legacy of creating jobs,  growing the economy, and a robust discussion on how we can keep Americans safe.”
 
 ###

Hillary for America
December 19, 2015   rec'd 1:43 AM

Hillary for America Statement on Agreement Between DNC, Sanders Campaign on Data Breach

Following the Democratic National Committee's agreement with Bernie Sanders' campaign late Friday night to restore the campaign's voter file access in exchange for the campaign signing an affidavit regarding its staff's actions and submitting to an independent audit, Hillary for America press secretary Brian Fallon released the following statement:
 
“We are pleased that the Sanders campaign has agreed to submit to an independent audit to determine the full extent of the intrusion its staff carried out earlier this week, and also to ensure that Sanders' voter file no longer contains any of the proprietary data that was taken from us. We believe this audit should proceed immediately, and, pending its findings, we expect further disciplinary action to be taken as appropriate.”
 
###


More than Four Months Later...

Bernie 2016
April 29, 2016
Contact: Michael Briggs 

Independent Investigation Confirms Sanders Campaign Told the Truth 

BURLINGTON, Vt. – Four months ago, in an impulsive overreaction and at a critical point in the campaign just weeks before the closest Iowa caucus results in history, the DNC shut down the Sanders campaign’s access to its own voter file data, only restoring access after the campaign filed a lawsuit in Federal court.

Now, four months later, an independent investigation of the firewall failures in the DNC’s shared voter file database has definitively confirmed that the original claims by the DNC and the Clinton campaign were wholly inaccurate – the Sanders campaign never “stole” any voter file data; the Sanders campaign never “exported” any unauthorized voter file data; and the Sanders campaign certainly never had access to the Clinton campaign’s “strategic road map.”

In fact, the independent investigation has confirmed what the Sanders campaign said from the start:

  • - The DNC’s security failures allowed four Sanders campaign staffers – three junior-level staffers led by a manager who had been hired at the recommendation of the DNC and who was immediately terminated after the incident – to have extremely short-lived access for one hour to Hillary for America’s scoring models, but not to any of Hillary for America’s proprietary voter data.

  • - No one else in the Sanders campaign, outside these four staffers, accessed the Hillary for America’s scoring models or had knowledge that the activity was taking place until well after the incident was over.

  • - With one exception, all unauthorized access took place within the DNC’s own system. While there is evidence that the terminated staffer may have exported a summary data table, the independent investigation of Sanders campaign computers could not locate that file and no one in the Sanders campaign has ever seen that file.
With the investigation behind us, the campaign has withdrawn its lawsuit against the DNC today but continues to implore the DNC to address the systemic instability that remains in its voter file system. It is imperative that the DNC make it a top priority to prevent future data security failures in the voter file system, failures that only serve as unnecessary distractions to the democratic process.

Bernie Sanders' Campaign Manager Jeff Weaver said “We are gratified by the results of this independent investigation.”
###


Democratic National Committee
April 29, 2016

DNC Statement

On December 18, 2015, the Democratic National Committee and Bernie 2016 appeared in United States District Court on Bernie 2016’s indication that it would be seeking an injunction in the breach of contract action it filed against the DNC earlier that day. The Sanders campaign alleged that the DNC wrongfully terminated its access to the party-administered voter file system, VoteBuilder, following DNC’s discovery that Sanders campaign personnel had discovered a flaw in system security and had accessed Clinton campaign proprietary score data. 
 
The parties proceeded in the course of the hearing to settle the immediate issue before the Court. The DNC agreed to restore access to VoteBuilder by the next day, and the campaign agreed to cooperate in an independent investigation of the data breach.  The Sanders campaign also agreed as part of this investigation to assume a share of the costs of the investigation.
 
The DNC and the Sanders campaign agreed on the retention of CrowdStrike to conduct the investigation. Over a five-week period and the commitment to the work of 128 hours, CrowdStrike examined user activity within VoteBuilder by three Democratic Presidential campaigns: Hillary for America, Bernie 2016, and O’Malley for President.  Additionally, CrowdStrike conducted a forensic examination of two systems belonging to the Bernie 2016 campaign. The investigation sought to first identify whether any campaigns’ users accessed data via the VoteBuilder system in an unauthorized fashion and then determine the nature of any unauthorized access that did occur.
 
The cybersecurity firm CrowdStrike has concluded the independent investigation agreed to by the DNC and Bernie 2016.  It identified evidence of unauthorized access via four user accounts from the Bernie 2016 campaign.  All unauthorized access occurred during a one-hour period from 10:41 to 11:42 EST on December 16, 2015.
 
During that time, the four users conducted 25 searches using proprietary Hillary for America score data across 11 states.  All of the results of these searches were saved within the VoteBuilder system, with the exception of one instance where a user exported a statistical summary of a search using HFA scoring in New Hampshire.
 
CrowdStrike found no evidence of unauthorized access by the Hillary for America or O’Malley for President campaigns. 
 
Today, the Sanders campaign also voluntarily dismissed the breach of contract action pending against the DNC.
 
###