"The database logs created by NGP VAN show that four accounts associated with the Sanders team took advantage of the Wednesday morning breach. Staffers conducted searches that would be especially advantageous to the campaign, including lists of its likeliest supporters in 10 early voting states, including Iowa and New Hampshire. Campaigns rent access to a master file of DNC voter information from the party, and update the files with their own data culled from field work and other investments. After one Sanders account gained access to the Clinton data, the audits show, that user began sharing permissions with other Sanders users. The staffers who secured access to the Clinton data included Uretsky and his deputy, Russell Drapkin. The two other usernames that viewed Clinton information were “talani" and "csmith_bernie," created by Uretsky's account after the breach began. The logs show that the Vermont senator’s team created at least 24 lists during the 40-minute breach, which started at 10:40 a.m., and saved those lists to their personal folders. The Sanders searches included New Hampshire lists related to likely voters, "HFA Turnout 60-100" and "HFA Support 50-100," that were conducted and saved by Uretsky. Drapkin's account searched for and saved lists including less likely Clinton voters, "HFA Support <30" in Iowa, and "HFA Turnout 30-70"' in New Hampshire. Despite audit logs, Weaver said at the news conference that NGP VAN has told the campaign that no Clinton data was printed or downloaded."
"Saving the list" entails creating a copy of the list on the VAN servers (technically, creating an SQL query). It does not mean copying any of the data locally where it could be kept.
It demonstrates the ability of the Sanders campaign to access the Clinton data without actually having the ability to use it once the breach was sealed, which, like the previous breach, it would inevitably be.
It's like making a copy of the personnel files left in the mailroom and sticking them in your mailbox. Lets you demonstrate they got left out in case VAN tries to say the breach wasn't serious.
"Despite audit logs, Weaver said at the news conference that NGP VAN has told the campaign that no Clinton data was printed or downloaded."
The phrasing here strikes me as somewhat vague. Are they implying that Weaver's statements are in conflict with the audit logs, or are they (somewhat ineffectively) implying that "saving lists" merely equates to bookmarking a certain query?
NGP stated:
"So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign."
What exactly do they mean by "view", let alone "act on"? If someone was truly dedicated to extracting data through their browser, are the terms truly mutually exclusive?
"The Sanders people didn't abuse the bug in any significant way"
It isn't clear if this is true.
"in fact they reported it"
VAN has not stated the issue was reported by the Sanders campaign. The claims that the Sanders campaign had reported an earlier issue are refuted in the OP, which states they had reported issues with another vendor's software.
It is possible the bug was abused:
"The database logs created by NGP VAN show that four accounts associated with the Sanders team took advantage of the Wednesday morning breach. Staffers conducted searches that would be especially advantageous to the campaign, including lists of its likeliest supporters in 10 early voting states, including Iowa and New Hampshire. Campaigns rent access to a master file of DNC voter information from the party, and update the files with their own data culled from field work and other investments.
After one Sanders account gained access to the Clinton data, the audits show, that user began sharing permissions with other Sanders users. The staffers who secured access to the Clinton data included Uretsky and his deputy, Russell Drapkin. The two other usernames that viewed Clinton information were “talani" and "csmith_bernie," created by Uretsky's account after the breach began.
The logs show that the Vermont senator’s team created at least 24 lists during the 40-minute breach, which started at 10:40 a.m., and saved those lists to their personal folders. The Sanders searches included New Hampshire lists related to likely voters, "HFA Turnout 60-100" and "HFA Support 50-100," that were conducted and saved by Uretsky. Drapkin's account searched for and saved lists including less likely Clinton voters, "HFA Support <30" in Iowa, and "HFA Turnout 30-70"' in New Hampshire.
Despite audit logs, Weaver said at the news conference that NGP VAN has told the campaign that no Clinton data was printed or downloaded."
A fresh account, commenting on a new, extremely controversial issue should probably disclose affiliations before getting too embroiled in arguing interpretations and facts.
It seems unlikely that someone so disconnected from society as to be completely uninvolved and unopinionated on the topic at hand would have created an account for the specific purpose of commenting on the story.
We are social creatures; we have a deep need to align ourselves with groups of others. And the evidence points to our having a deep need to argue as well.
Hmm, that's much more specific, and seems to go beyond simply establishing that there's a permissions problem and they can see data they shouldn't. I still think cutting off the Sanders campaign from all their data, even after the bug was fixed, is over the top. Perhaps the staffers did act inappropriately or aggressively, but deal with them, and let the campaign continue with its daily business.
The Sanders campaign had in October reported an unrelated software issue in a non-VAN system.
They did not report THIS issue to the DNC or NGP VAN, but claim they were gathering information about the breach for the purposes of reporting. Based on my reading of the OP, the breach was discovered by NGP VAN employees.
"The database logs created by NGP VAN show that four accounts associated with the Sanders team took advantage of the Wednesday morning breach. Staffers conducted searches that would be especially advantageous to the campaign, including lists of its likeliest supporters in 10 early voting states, including Iowa and New Hampshire. Campaigns rent access to a master file of DNC voter information from the party, and update the files with their own data culled from field work and other investments. After one Sanders account gained access to the Clinton data, the audits show, that user began sharing permissions with other Sanders users. The staffers who secured access to the Clinton data included Uretsky and his deputy, Russell Drapkin. The two other usernames that viewed Clinton information were “talani" and "csmith_bernie," created by Uretsky's account after the breach began. The logs show that the Vermont senator’s team created at least 24 lists during the 40-minute breach, which started at 10:40 a.m., and saved those lists to their personal folders. The Sanders searches included New Hampshire lists related to likely voters, "HFA Turnout 60-100" and "HFA Support 50-100," that were conducted and saved by Uretsky. Drapkin's account searched for and saved lists including less likely Clinton voters, "HFA Support <30" in Iowa, and "HFA Turnout 30-70"' in New Hampshire. Despite audit logs, Weaver said at the news conference that NGP VAN has told the campaign that no Clinton data was printed or downloaded."
http://www.bloomberg.com/politics/articles/2015-12-18/sander...