Data brokers are exceptionally good at gathering, organizing and selling information. But if the revelation that Exactis left 340 million records accessible to anyone who searched for it is any indicator, they aren't particularly good at protecting that data. This latest news means a company most people haven't even heard of has put the private information of a significant portion of the U.S. population at risk. Again.
This exact scenario has been repeated often enough over the last few years that it's starting to become as predictable as a children's story. A company made a bunch of money collecting information about people and then selling it to other companies. But it failed to secure that data, leaving hundreds of millions of people compromised. Soon, we'll probably hear about one year of free identity theft protection and some executive shake-ups. Then, we'll probably learn that even more people were affected by this leak, and then it'll finally leave the news cycle, we expect.
Let's start with the specifics regarding Exactis. The company purports to offer the "highest quality triple-validated business and consumer marketing data" so you can "grow your business with the cleanest most accurate marketing data available!" (That's according to the Google search description--Exactis' website is currently unavailable, presumably because people are rushing to figure out exactly who leaked their information.) This kind of data is valuable to marketers, sure, but it's also useful to hackers who want to target specific people.
Wired reported that Night Lion Security founder Vinny Troia discovered the Exactis leak earlier this month. Troia wasn't specifically looking for a leak from the company; he was merely using the Shodan search tool to find ElasticSearch databases. Exactis' databases appeared in the results, and it wasn't protected by any firewall, so Troia was able to gain access to the company's records. Troia said the databases contained records for 230 million consumers and 110 million businesses, but those figures could change as Exactis responds to and eventually investigates the incident.
Troia discovered this database on a lark with a quick search. What are the odds that people who make their livings peddling stolen information--or taking advantage of it to support more criminal activities--didn't find such a poorly safeguarded trove of personal data? That means a significant portion of the U.S. population (roughly 70 percent) likely had some of their records compromised because of Exactis. We might never know definitively if Troia was the first to discover these databases or merely the first to publicly disclose it.
The good news is that Exactis doesn't appear to have leaked financial information, Social Security Numbers, or similar highly sensitive data. The information it does collect could still be used by scammers or other attackers, but it's not a direct threat to someone's financial health. Wired reported that Exactis secured the databases after Troia revealed the problem, which should mean it can't be accessed by anyone else. However, the company hasn't publicly acknowledged the incident, so we don't know exactly what precautions it's taken.
The bad news is that it seems like the general public is doomed to being compromised by data brokers they don't even know exist. That's exactly what happened with Equifax, which said last year that 143 million people were affected by a data breach. The number of people affected by the breach has continued to grow, however, as has the scope of the affected information. It's probably only a matter of time before another company in Equifax or Exactis' data gathering industry suffers a similar lapse of security. Just wait.