Exactis breach exposes 340M records, may compel GDPR-like reg in U.S.
Exactis breach exposes 340M records, may compel GDPR-like reg in U.S.

An exposed database at data broker Exactis exposed nearly 340 million records amounting to around two terabytes of information.

“If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is,” said Robert Capps, vice president and authentication strategist for NuData Security, noting the Exactis “breach blows up the 2018 tab with 230 million [consumer] records exposed in just one incident.”

The exposed database, which contains details on Americans and businesses, was discovered by security researcher and Night Lion Security Founder Vinny Troia, who told Wired that it had “pretty much every U.S. citizen in it." 

While payment information and Social Security numbers aren't included in the trove, Troia found personal information on individuals' interests and their children.

“What's most shocking about the leak is how Exactis, which prides itself in having one of the world's largest universal data warehouses, has failed to secure their data with the most basic measures, i.e., storing them all in private servers, fire-walled, etc.,” said Chris Olson, CEO of The Media Trust, who explained that securing data is a part of doing business for every organization. “Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers.”

There's no evidence yet that the information exposed on the Exactis database has been pilfered and used maliciously but it put individuals and consumers at risk of a number of attacks. “The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams,” said John “Lex” Robinson, cybersecurity strategist at Cofense, who contended that consumers and businesses should be outraged. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim—utilizing data such as addresses, personal interests or information about their family.”

As breaches, exposed databases and servers and other risks come to light, “consumers are rapidly realizing that there are companies out there that have amassed significant information on them but are failing to provide adequate cybersecurity protections,” said Carl Wright, chief revenue officer at AttackIQ. “These companies are using this data to generate significant revenue and in most cases providing little to no value to the consumers.” 

The numbers in this latest incident might compel the U.S. to adopt stronger privacy protections. “The scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR,” said Olson.

Such regulations, he said, “would restrict how personal data is not only stored but used in the U.S.” 

Indeed, if any EU citizens are among those affected “by this data breach, it will be interesting to see how the recent enforcement of the EU GDPR will be impacted and how the EU will respond if indeed citizens' data is included in the massive data breach,” said Joseph Carson, chief security scientist at Thycotic, who called the Exactis incident “careless and irresponsible.”

Because GDPR calls for user consent for personal information processed and collected by companies like Exactis, in addition to adequately protecting and securing it “from unauthorized access by using a least privileged approach,” Carson said that “Companies who fail to show they have failed in the basic cybersecurity best practices should be held accountable and responsible for failing to protect those who have entrusted them with their data.”

Wright added, “Corporations and government entities must be required to continuously prove that their cybersecurity protections are able to defeat or detect attackers.”

David Ginsburg, vice president of marketing at Cavirin, pointed to California's impending Consumer Privacy Act, saying, “this may serve as a template for protections at the federal level.”

Noting that the company's website was down in a likely response to “this massive data breach,” Carson is waiting to see “if Exactis has a solid and well-prepared incident response plan. Frankly, I hope they have practiced and tested it for such an event as this.”