Exactis breach exposes 340m records, may compel GDPR-like regulation in US

News by Teri Robinson

An exposed database at US data broker Exactis exposed nearly 340 million records amounting to around two terabytes of information.

An exposed database at data broker Exactis exposed nearly 340 million records amounting to around two terabytes of information.

In an email to SC Media UK, Raj Samani, McAfee Fellow, chief scientist at McAfee commented: “With the news yesterday that another breach has exposed the records of nearly every US citizen to anybody with an internet connection, it is another frightening reminder that our trust in many organisations to protect our data is clearly misplaced. 

“The personal information in these findings expose millions of people, who have likely never even heard of the firm. Moreover the leak is likely to expose the millions of data subjects to additional risks, so if consumers haven't already signed up to monitor fraudulent activity against their name, they should do so now and be extra vigilant against personalised attacks. The questions for consumers to ask now are, how did you get my data? Can you confirm I consented to this data capture and how did you take reasonable measures to protect my data?”

Robert Capps, vice president and authentication strategist for NuData Security adds: “If US citizens did not think their personal information has ever been compromised, this should convince them it definitely is,” noting the Exactis “breach blows up the 2018 tab with 230 million [consumer] records exposed in just one incident.”

The exposed database, which contains details on Americans and businesses, was discovered by security researcher and Night Lion Security Founder Vinny Troia, who told Wired that it had “pretty much every US citizen in it." 

While payment information and Social Security numbers aren't included in the trove, Troia found personal information on individuals' interests and their children.

“What's most shocking about the leak is how Exactis, which prides itself in having one of the world's largest universal data warehouses, has failed to secure their data with the most basic measures, ie, storing them all in private servers, fire-walled, etc.,” said Chris Olson, CEO of The Media Trust, who explained that securing data is a part of doing business for every organisation. “Data providers need to keep in mind that they are prime targets for cyber-criminals who want to commit identity theft and have tools to find databases on publicly accessible servers.”

There's no evidence yet that the information exposed on the Exactis database has been pilfered and used maliciously but it put individuals and consumers at risk of a number of attacks. “The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams,” said John “Lex” Robinson, cyber-security strategist at Cofense, who contended that consumers and businesses should be outraged. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim—utilising data such as addresses, personal interests or information about their family.”

As breaches, exposed databases and servers and other risks come to light, “consumers are rapidly realising that there are companies out there that have amassed significant information on them but are failing to provide adequate cyber-security protections,” said Carl Wright, chief revenue officer at AttackIQ. “These companies are using this data to generate significant revenue and in most cases providing little to no value to the consumers.” 

The numbers in this latest incident might compel the US to adopt stronger privacy protections. “The scope of and negligence behind this leak could prompt greater demand among already wary US consumers for stronger regulations around data privacy like the EU's GDPR,” said Olson.

Such regulations, he said, “would restrict how personal data is not only stored but used in the US” 

Indeed, if any EU citizens are among those affected “by this data breach, it will be interesting to see how the recent enforcement of the EU GDPR will be impacted and how the EU will respond if indeed citizens' data is included in the massive data breach,” said Joseph Carson, chief security scientist at Thycotic, who called the Exactis incident “careless and irresponsible.”

Because GDPR calls for user consent for personal information processed and collected by companies like Exactis, in addition to adequately protecting and securing it “from unauthorised access by using a least privileged approach,” Carson said that “Companies who fail to show they have failed in the basic cyber-security best practices should be held accountable and responsible for failing to protect those who have entrusted them with their data.”

Wright added, “Corporations and government entities must be required to continuously prove that their cybersecurity protections are able to defeat or detect attackers.”

David Ginsburg, vice president of marketing at Cavirin, pointed to California's impending Consumer Privacy Act, saying, “this may serve as a template for protections at the federal level.”

Noting that the company's website was down in a likely response to “this massive data breach,” Carson is waiting to see “if Exactis has a solid and well-prepared incident response plan. Frankly, I hope they have practiced and tested it for such an event as this.”   

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews