Any campaign staffed with people who can’t navigate the shallow waters of phishing emails and how basic online security should be handled ought not to win even a race for dog catcher. But then again, this was the campaign of a woman who kept her email server in her own basement, with a backup in a bathroom in Colorado, when she was secretary of state.
It simply proves that phishing works. Especially when naïve Clinton campaign staffers believe every email they receive. In this case, it was IT staffer Charles Delavan who mistakenly responded using the word “legitimate” instead of “illegitimate” that handed Clinton chairman John Podesta’s password over to hackers.
The email in question was purportedly from Google, claiming that hackers had attempted to access Podesta’s account. According the the NYT, hundreds of these were sent to all kinds of political targets. It just so happens that the one read by this Podesta aide, who had access to his boss’s email, resulted in the rube clicking on the link in the phishing email not the one in the reply by Delavan.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
Not only did the person who got the phishing email fall for it and misread the reply, but the IT staffer apparently didn’t go back and correct his mistake. And nobody realized it for months. Apparently, getting dozens of phishing emails isn’t enough for IT folks to send a “to all” email with the title something like “Security Alert: DO NOT CLICK ON LINKS in emails that appear to be from Google.”
Because that’s what any normal company would do (like, maybe Goldman Sachs, or Exxon, which will be in charge of running America’s economy and diplomatic corps, respectively). I used to run a payment services company, and we would have been hauled over the coals if anything like this happened to us. We got tested for it regularly by outside security consultants.
Clinton deserved everything she got. She deserved to be hacked because her campaign was too dysfunctional and naïve to take even the most basic security measures to protect their online data. And because she was this careless at the State Department, and in her own campaign, we have every reason to believe she would have been just as careless as president.
I won’t give any credit or praise to Russian hackers or their purposes in hurting Clinton and helping Trump. But really, it’s good this happened before the election, because we really dodged a bullet keeping this disaster away from the White House.