Exactis Data Breach and What it Means to You
Exactis, a data broker based out of Florida, may not be a familiar company to you, but you may not be unfamiliar to them. They’ve been fingered as having compiled one of the most comprehensive data collections of personal information anyone’s ever seen. Now, after a huge security breach, it seems there’s strong likelihood that whatever information the company has about you (and there’s a lot) is available to any curious bad actor who knows where to look for it.
Late this June, an expert in security named Vinny Troia discovered that Exactis had mistakenly made available on a publicly accessible server a database that contains the detailed personal information of nearly 340 million individuals and businesses — almost two terabytes’-worth. The Exactis data leak surpasses even the Equifax breach 2017, which had the data of 145.5 million individuals stolen by hackers. But unlike the Equifax catastrophe, there was no need for infiltration…the company simply left data exposed and available for anyone to find.
Your personal information is collected and aggregated by companies like this to create your digital fingerprint. Your digital fingerprint can often be accessed without your knowledge or consent by anonymous third parties to personally identify you, track you, advertise to you, or even steal your identity.
Some small comfort can be taken that this leak doesn’t seem to contain Social Security numbers or credit card information. However, it does go as far as to include phone numbers, home addresses, interests and habits, education level, email addresses, credit rating, and the ages and genders of one’s children, among many other details. Financially, the immediate risk may not be pressing, but it leaves people vulnerable to scams, impersonations, profiling, and other fraudulent activity.
It’s also shockingly comprehensive, with nearly all US adults represented. The compromised records had been kept in a database by Exactis, a firm that specializes in helping companies reach potential customers via email, postal address, or phone. In a devastating oversight, Exactis failed to place the database behind a firewall, leaving it open for anyone to access.
As unsettling as it is, data-mining of the sort Exactis used to amass their info base isn’t illegal. And it’s big business. From Exactis’ own website: “Data is the fuel that powers Exactis. Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision.” Hoarding all that sensitive data in one spot can, unsurprisingly, pose a monstrous privacy risk.
Troia, the security expert who identified the massive leak, stumbled on the records while examining the security of databases built with Elasticsearch. “The server was kind of wide open,” Troia said. “If anybody was looking for it, they could’ve found it and grabbed the data.” Using a specialized search engine called Shodan, he identified around 7,000 publicly-accessible Elasticsearch database. Later, he discovered one of these was owned by Exactis. Troia contacted the FBI and Exactis about his findings, and says the data was quickly protected.
How Exactis obtained so much sensitive information isn’t clear. They’re certainly not alone in collecting people’s personal data and selling it at a profit. Other such information providers collect the information by using consumer surveys, navigating public records, magazine subscriptions, or buying data from others that have managed to gather it from you consensually, in bits and pieces, over time. Exactis’ methodology isn’t in legal question… they just left the metaphorical doors and windows open; how the aftermath of that will play out remains to be seen.