WatchPoint Security Blog

Exactis Leaks Personal Data of 340 Million

Written by Jordan Kadlec | July 02, 2018

Photo courtesy of latesthackingnews.com

“Highest quality triple-validated business and consumer marketing data. Grow your business with the cleanest, most accurate marketing data available.” This is usually the first thing you will see when you do a Google Search for Exactis, a Florida-based marketing and data-aggregation firm. However, the “Top Stories” this week are all about how Exactis leaked hundreds of millions of records from its database.

Data Leak not Data Breach

Now, it’s extremely important to note that this was a data LEAK, not a data BREACH. In a data breach, a hacker is responsible for penetrating the servers of the company and stealing the records. In this case, it was essentially terrible data security hygiene on the part of Exactis. The company left the data sitting on public Amazon Elastic Search servers that were available for anyone to view.

The data leak was first discovered by security researcher Vinny Troia while he was using a search tool called Shodan. Shodan allows researchers to scan for all manners of internet-connected devices. Troia used Shodan to search for ElasticSearch databases which is a popular type of database that is designed to be easily queried using a simple command line. While combing through the over 7,000 results, Troia came across the Exactis database, unprotected by any firewall. What he found within this database was approximately 340 million records, which is over double the number of records exposed in the Equifax breach that occurred in September of 2017.

“I’m not the first person to think of scaping ElasticSearch servers,” Troia said. “I’d be surprised if someone else didn’t already have this.”

Leaked Records

The sheer size of the breach is astounding. Troia noted that almost every person he searched for in the database, he found.

“It seems like this is a database with pretty much every US citizen in it,” commented Troia. “…I don’t know where the data is coming from, but its one of the most comprehensive collections I have ever seen.”

While the highlight of the leak is certainly the 340 million records available, the depth of information must also be noted. Aside from the standard information included in typical data breaches such as first and last names, phone numbers, home addresses, and email addresses; this database goes deep into people’s personal lives. Each record includes more than 400 variables on specific characteristics of individuals: a person’s religion, whether they have dogs or cats, and other interests such as scuba diving, to name a few.

The Outlook on Databases

The worst thing about a data breach (or LEAK) is that there’s essentially nothing we, as individual users, can do to prevent them. We can’t ensure that companies like Yahoo, Equifax, and now Exactis have the proper security controls in place or, in this case, that they aren’t extremely negligent with protecting our personal information. However, given the largest data breaches are from U.S.-based companies, it does highlight the lack of regulation surrounding privacy and data collection in the country. Currently, there are no laws in place that require a company to disclose what kind of data it collects about individuals or how these individuals can limit how the collected data is stored or used.

Marc Rotenberg, President and CEO of Electronic Privacy Information Center (EPIC) put it best. “If you have a profile on someone, that person should be able to see their profile and limit its use.” Rotenburg continues; “It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life.”

The European Union (EU) just implemented a General Data Protection Regulation which addresses data protection and privacy for all individuals within the EU. The regulation primarily aims to give control to citizens and residents over their personal data and simplify the regulatory environment for international business by unifying the regulation with the EU. It’s time for the United States to do something about protecting our records or at least give us control over what information companies can collect.