In the three years since Russian operatives breached the servers of the Democratic National Committee and threw presidential politics into a state of perpetual chaos, countries around the world have been on notice to the threat of foreign interference in elections. But as the US prepares for another presidential election next year, and as the European Union holds parliamentary elections this week, a new report reveals a range of obvious and ongoing security flaws that could leave political parties in both places vulnerable to attack.

The report, which will publish Tuesday, was compiled by SecurityScorecard, a New York–based risk analysis firm that monitors IT infrastructure for more than 1 million entities around the world. For this report, the researchers drilled down into the networks operated by 29 political parties from 11 countries during the first quarter of this year. In general, they found that smaller parties in both the EU and the US pose the biggest risks.

In the US, their analysis included the Democratic National Committee, the Republican National Committee, the Green Party, and the Libertarian Party. They found that while the DNC and the RNC have strengthened their defenses since 2016, both major parties have cybersecurity hygiene issues that could still make them targets for dedicated adversaries. Another US party, which the researchers declined to name in the report, left a searchable tool exposed, leaking voter names, dates of birth, and addresses, information that is not publicly available in most states. That flaw has since been patched, after the researchers contacted the party.

In Europe, meanwhile, the researchers detected active malware running on one network registered to the EU.

According to Jasson Casey, chief technology officer of SecurityScorecard, the findings point to the scope of the challenge for political parties, which are often under-resourced, but are nonetheless collecting data sets that both organized criminals and foreign adversaries would find valuable. “The obvious question that comes out is: Is it even possible for these political parties to run effective defenses?” Casey says. “If large companies have a hard time with this, how can small political organizations do it?”

The SecurityScorecard researchers used a standard checklist to grade the parties on their security practices on a scale from 1 to 100, docking points based on the severity of the issues they discovered. Generally, a score of 80 or higher is considered good, with an organization less likely to experience a breach.

Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.

In the US, both the DNC and the RNC have worked to fortify their technical infrastructure since 2016, and, based on SecurityScorecard's findings from 2016, it shows, Casey says. That year, the firm's researchers gave Republicans a score of 84, after discovering a large number of expired security certificates on websites affiliated with the RNC. The Democrats, meanwhile, received an 80 in 2016, thanks to malware operating on the DNC system. Those issues now appear to be fixed, raising the parties' scores to 87 and 84, respectively. And yet, there are still some chinks in each organization's armor.

The DNC, for instance, has begun using a two-factor authentication tool called Okta, which is generally a good thing. But the researchers discovered one instance where what appears to be a calendar tool that uses two-factor authentication was being served over an HTTP connection, instead of the more secure HTTPS, which encrypts data as it travels between a browser and web server. Because it’s an unencrypted connection, a dedicated hacker could stage what’s called a man-in-the-middle attack, redirecting traffic from the initial URL to a fake Okta site. There, an attacker could harvest the DNC staffer’s login credentials without the staffer realizing.

The DNC's head of cybersecurity, Bob Lord, says that particular URL isn't actually being used by any DNC staffers and that his team is looking into its origins. After being contacted by WIRED, the DNC shut down the URL just to be safe. "It's a good thing to clean up. It’s good to make sure that things that are built out, for whatever purpose, get deprecated and removed," Lord says. "I love that we’ve been able to get people to notify us when they've detected something that’s not quite right or something that could be improved."