Robert Capps, vice president and authentication strategist for NuData Security adds: “If US citizens did not think their personal information has ever been compromised, this should convince them it definitely is,” noting the Exactis “breach blows up the 2018 tab with 230 million [consumer] records exposed in just one incident.”
The exposed database, which contains details on Americans and businesses, was discovered by security researcher and Night Lion Security Founder Vinny Troia, who told Wired that it had “pretty much every US citizen in it."
While payment information and Social Security numbers aren't included in the trove, Troia found personal information on individuals' interests and their children.
“What's most shocking about the leak is how Exactis, which prides itself in having one of the world's largest universal data warehouses, has failed to secure their data with the most basic measures, ie, storing them all in private servers, fire-walled, etc.,” said Chris Olson, CEO of The Media Trust, who explained that securing data is a part of doing business for every organisation. “Data providers need to keep in mind that they are prime targets for cyber-criminals who want to commit identity theft and have tools to find databases on publicly accessible servers.”
There's no evidence yet that the information exposed on the Exactis database has been pilfered and used maliciously but it put individuals and consumers at risk of a number of attacks. “The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams,” said John “Lex” Robinson, cyber-security strategist at Cofense, who contended that consumers and businesses should be outraged. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim—utilising data such as addresses, personal interests or information about their family.”
As breaches, exposed databases and servers and other risks come to light, “consumers are rapidly realising that there are companies out there that have amassed significant information on them but are failing to provide adequate cyber-security protections,” said Carl Wright, chief revenue officer at AttackIQ. “These companies are using this data to generate significant revenue and in most cases providing little to no value to the consumers.”
The numbers in this latest incident might compel the US to adopt stronger privacy protections. “The scope of and negligence behind this leak could prompt greater demand among already wary US consumers for stronger regulations around data privacy like the EU's GDPR,” said Olson.
Such regulations, he said, “would restrict how personal data is not only stored but used in the US”
Indeed, if any EU citizens are among those affected “by this data breach, it will be interesting to see how the recent enforcement of the EU GDPR will be impacted and how the EU will respond if indeed citizens' data is included in the massive data breach,” said Joseph Carson, chief security scientist at Thycotic, who called the Exactis incident “careless and irresponsible.”
Because GDPR calls for user consent for personal information processed and collected by companies like Exactis, in addition to adequately protecting and securing it “from unauthorised access by using a least privileged approach,” Carson said that “Companies who fail to show they have failed in the basic cyber-security best practices should be held accountable and responsible for failing to protect those who have entrusted them with their data.”
Wright added, “Corporations and government entities must be required to continuously prove that their cybersecurity protections are able to defeat or detect attackers.”
David Ginsburg, vice president of marketing at Cavirin, pointed to California's impending Consumer Privacy Act, saying, “this may serve as a template for protections at the federal level.”
Noting that the company's website was down in a likely response to “this massive data breach,” Carson is waiting to see “if Exactis has a solid and well-prepared incident response plan. Frankly, I hope they have practiced and tested it for such an event as this.”