Business continuity, CSPs

Are Hillary Clinton Emails in Datto Cloud?

Hillary Clinton's personal email server may have been backed up to Datto's cloud storage and data protection service, according to published reports. Datto offers business continuity and data protection solutions -- linking on-premises hardware to clouds. The Datto services are sold via managed services providers (MSPs).

ChannelE2E reached out to Datto for comment. Update, 11:29 p.m. ET, Oct. 6, 2015: Datto provided an official statement to ChannelE2E at 10:06 p.m. ET.

Our earlier report, ahead of the Datto statement, is below.

According to McClatchyDC:

"Hillary Clinton hired a Connecticut company to back up her emails, and due to a technical glitch some may still reside on one of the firm’s “cloud” storage sites, a Republican Senate committee chairman revealed.

The disclosures, in a letter Monday from Wisconsin Sen. Ron Johnson, heighten the possibility that some of Clinton’s more than 31,000 personal emails may still be recovered. She said last March that she deleted them all upon turning over her official emails to the State Department in December 2014.

Congressional committees have voiced skepticism as to whether the 30,940 emails that the Democratic presidential candidate handed over represented all of her official emails. The FBI is separately investigating whether Clinton’s arrangement put classified information at risk.

His letter to the chief executive of Datto Inc. of Norwalk, Conn., offers the first public confirmation that Clinton or her aides arranged for a backup of her email server after leaving office."

Clinton's use of a personal email server while serving as secretary of state has drawn criticism for a range of issues -- ranging from basic corporate compliance concerns to serious national security risks. Further complicating matters, critics have wondered if Clinton truly turned over all emails to the State Department.

Hillary Clinton Hires an MSP

Enter Platte River, the MSP that maintained Clinton's personal email server. According to McClatchyDC:

"On May 31, 2013, four months after Clinton left office, the Clinton Executive Service Corp., which oversaw her email server contracts, hired Platte River to maintain her account. Its New Jersey-based server replaced the server in the basement of her New York home that handled her emails as secretary of state.

At the same time, Platte River retained Datto to set up a virtual backup server that could provide immediate recovery if the primary server failed, Johnson said in his letter. Datto says it offers two kinds of backup storage: a private cloud virtual server that takes data from a server and converts it into “virtual machines that can be booted instantly,” and an off-site “secure cloud.” "

According to The Wall Street Journal, Datto took steps to protect Hillary Clinton's email backups and has not looked at the data. The Journal reported:

"In mid-August, Datto took steps on its own to disconnect its server from Platte River’s system, thereby preserving the data in its possession from being erased or altered. The person familiar with the matter said the company doesn’t access the data it stores and cannot say what it has in its possession.

Datto is now complying to a request from the FBI to preserve information relevant to the investigation, and has obtained Mrs. Clinton’s consent to turn over that data to law enforcement, according to the person.

A spokesman for Platte River Networks said the Datto device was programed to back up only 30 days’ of email. It has since been turned over to the FBI, he said."

Privately held Datto has been one of the IT industry's fastest-growing companies in recent years, attracting venture capital and advisor guidance from veterans of EMC and VMware. More recently, the company has been planning to push beyond storage and business data protection into the router market.

MSPs, Clouds and Data Privacy

For MSPs that manage customer data in third-party clouds, it's important to understand so-called blind subpoenas. To paraphrase Data on the Edge:

Let's assume an MSP (Data Controller) stores the data of its customers (Data Subjects) with a cloud service provider (Data Processor). Then, assume a blind subpoena is served on the Data Processor (the CSP) without notice to the Data Controller (MSP) or the Data Subject (End Customer). The Data Controller and/or Data Subject do not and may never have an opportunity to object or move to quash the subpoena. And most importantly, the Data Processor may be forbidden to notify the Data Controller or Subject of subpoena service.

I'm not saying a blind subpoena situation currently applies to the Hillary Clinton emails. But it's safe to say the government will be taking a closer look at what data -- if any -- was backed up, and where it now resides.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.