Around 60 US lawmakers from both parties have not been able to send emails out to registered voters since last week. iConstituent, which provides a platform that allows politicians to engage with their consituant groups suffered a ransomware incident recently. At this time, it seems as though only the e-newsletter feature of the platform has been affected, but it has left many questioning the security of the US House of Representatives member data. The Chief Administrative Officer of the House Catherine Szpindor has assured that the US Government’s network is not associated with the attack on the third-party provider. There is a possibility that the attack may be larger than what was initially thought, since iConstituent also supplies its services to state officials in Georgia, Hawaii, and Nevada, the cities of Los Angeles and Palo Alto, California, and the New York State Assembly. It will be interesting to see how federal and local government approach third-party platforms moving forward.
Not much else has been released about the scope of this attack thus far, but it will likely be discussed again within the coming weeks. It is important for any organization when working with third-party vendors to make sure they have proper security measures in place. Although it’s difficult, a zero-trust approach when dealing with security should be a priority and can help lower the chances of suffering consequences from mistakes made by external partners. In this case, a zero trust approach would require lawmakers to only share data with the third-party solution that is non-sensitive and not re-use passwords between this site and other services, so that if the data is stolen from iConstituent, it does not have ripple effects to other systems.