Who is ready for another round of data and security roulette? The latest cyber security incident has struck with a data breach at marketing firm Exactis. At this time specifics are not clear, but this is what we currently understand.Data exposed with marketing firm #Exactis. 340 million data records exposed. Click To Tweet
How was it discovered?
A security researcher, Vinny Troia, discovered that Exactis had a database discoverable on the internet for anyone to view. This discovery was made earlier this month. Exactis had 2 terabytes of personal data housed openly on a public server. The data equates out to 230 accounts of consumer information and 110 accounts of business information, totaling 340 million individuals.
Data Breach Specifics
The data located openly on the database is extremely personal in nature. It’s vital to notate that this data does not appear to contain sensitive data like social security numbers or payment card information.
The lack of sensitive data exposed does not dilute the possibility that any individual (remember this info was wide open online) could have retrieved this data in an effort to commit identity fraud. The individual specifics stored on the accessible database were very comprehensive yet some has been stated to be outdated or incorrect. Home and email addresses, apparel preferences, pets, number, age and gender of children and whether or not an individual smokes were all specifics categorized to create targeted marketing ads by Exactis.
From Wired’s interview with Vinny Troia,”It seems like this is a database with pretty much every US citizen in it,’ says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he’s searched for in the database, he’s found. ‘I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,’ he says.”
Troia has stated that to locate the server an individual would have to know where to look. Troia discovered the database using the Shodan search tool while testing the security of ElasticSearch databases.
The server has been taken down after the firm was notified of the mass exposure. Exactis has declined to comment on the findings by Troia and has yet to address the 340 million contacts whose information they publically stored.
Here is some food for thought: What would the implications possibly be if the US had a GDPR style policy in place? The data stored by Exactis is not insanely sensitive, but it may be likely that Exactis would be required to disclose the precise use of such intrusive data. What are your thoughts?