carloscastilla - Fotolia
Exactis leak exposes database with 340 million records
Experts said the Exactis leak needs to be treated as a learning moment for defining identity online after the marketing firm exposed data on 230 million adults and 110 million businesses.
A marketing firm exposed records on most adults in the U.S., but experts weren't surprised at the number of people affected and said the lesson should be about the depth of data gathered.
Marketing firm Exactis, a data company based in Palm Coast, Fla., exposed 340 million records -- 230 million for individuals and 110 million for business customers -- via a publicly accessible server, meaning anyone who knew where to look could have taken the data. Vinny Troia, security researcher and founder of NightLion Security, headquartered in St. Louis, Mo., discovered the potential Exactis leak and wrote on Twitter that he is working with the company to determine if anyone accessed the data. Exactis has since secured the server.
The data potentially exposed in the Exactis leak added up to 2 terabytes of information, including phone numbers, home and email addresses, but Bruce Silcoff, CEO of Shyft Network International, a cybersecurity company based in Barbados, said the Exactis leak is noteworthy "not only for the number of customers impacted, but also for the depth of compromised data."
"It's been reported that every record includes more than 400 variables of personal characteristics," Silcoff wrote via email. "The reality is that we live in a digitized world and all our interactions on social channels are recorded, and this isn't stopping anytime soon. The centralized storage of user information makes institutions like Exactis hacker bait. Never has there been such urgency nor opportunity to introduce a disruptive alternative to an antiquated system and solve an urgent global problem."
Wired's original report on the Exactis leak noted that the personal characteristics data could include information such as personal interests and habits, if the person smokes, has pets or the number, age and gender of the person's children.
Bruce SilcoffCEO of Shyft
Troia told Wired that he found the Exactis leak with a simple Shodan search for ElasticSearch databases on publicly accessible servers in the U.S. While there is a huge trove of personal information, the dataset does not include Social Security numbers or credit cards, so experts said it would be more useful for social engineering.
Nico Fischbach, global CTO at Forcepoint, said the highly sensitive data in the Exactis leak "could be exploited by malicious actors to carry out a number of different types of attacks."
"If an attacker combined this intel with data from the 2015 OPM breach, they could run human intelligencetype special operations attacks against cleared personnel. It's also a huge asset to criminals using impersonation as a tool for phishing. Further, as 110 million of the records pertain to businesses, criminals could utilize the data for spear-phishing campaigns aimed at data exfiltration," Fischbach wrote via email. "In the case of Cambridge Analytica, attackers had to 'steal' this type of profile data from Facebook, but, with Exactis, the data was publicly accessible on a server with weak or no authentication. This further underscores the need for enterprises to focus on knowing how their people interact with their data, have insight to risky activity and to think ahead on how vulnerabilities like this could be mitigated against, or prevented entirely."
Ruchika Mishra, director products and solutions at Balbix, a cybersecurity company headquartered in San Jose, Calif., said this was likely a problem of Exactis not understanding the mindset of an attacker.
"There's no doubt in my mind that Exactis knew exactly what type of information they had and the ramifications there would be if there was a breach," Mischra wrote via email. "But the problem with most enterprises today is that they don't have the foresight and visibility into the hundreds of attack vectors -- be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts -- that could be exploited."
Robert Capps, vice president and authentication strategist for NuData Security, a behavioral biometrics company based in Vancouver, British Columbia, said "if U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is."
"Unfortunately, breaches are here to stay, but government agencies, businesses, and organizations across the U.S. can protect users by applying a new authentication framework," Capps wrote via email. "Multi-layered security solutions based on passive biometrics and behavioral analytics make this stolen information useless to cybercriminals, as they identify users based on their behavior instead of data such as names, last names, dates of birth, passwords, addresses, and more.”