Security Experts:

Massive Breach at Data Broker Exactis Exposes Millions of Americans

Security Researcher Vinny Troia has discovered another sensitive database exposed on the internet. This one uses Elasticsearch, which allows easy data searching over the internet. Elasticsearch offers security including authentication and role-based access control -- but not all customers deploy it.

Troia was interested in Elasticsearch security and used Shodan to find U.S. Elasticsearch databases visible on the internet. According to a report in Wired, he found around 7,000. One stood out -- a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.

What makes this discovery exceptional was the sheer size of the database, the sensitivity of the content, and the complete lack of security. Precise details are difficult to ascertain, and Exactis has not been forthcoming with details. However, it appears to contain something like 340 million records (230 million on consumers and 110 million on business contacts); making it a far bigger potential breach than last year's Equifax breach.

The Exactis website claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.

How much of this was exposed is not known, but it is potentially everything. It doesn't include social security numbers or payment details, but goes into great detail for each individual, including interests, habits and the age and gender of children. It apparently includes more than 400 variables ranging from religion, pets, whether a person smokes, to personal interests.

Troia reported his findings to both Exactis and the FBI; and the database is no longer accessible. However, there is no way of knowing whether anyone other than Troia also located and accessed the data. While Exactis sells this data to businesses to help compile compelling and personalized marketing campaigns, in the hands of cyber criminals the same data could equally be used to compile compelling and personalized phishing campaigns. Any hope that cyber criminals don't use Shodan in the same way and to the same effect as Troia is unfounded.

Robert Capps, VP and Authentication Strategist for NuData Security comments, "If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is. This latest breach blows up the 2018 tab with 230-million records exposed in just one incident."

Chris Olson, CEO of The Media Trust, believes that government must now take a lead. "Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers. While we have yet to find out whether the data they have exposed on a public server has been misappropriated by malicious actors, the scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR. Such regulations would restrict how personal data is not only stored but used in the U.S." 

Carl Wright, chief revenue officer for AttackIQ, holds a similar view. "When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted.  This will be the only way to ensure that corporations take the necessary steps to secure consumer data.  Corporations and government entities must be required to continuously prove that their cyber security protections are able to defeat or detect attackers."

This already happens in Europe with the EU's General Data Protection Regulation (GDPR). It seems to be beginning in the U.S. Yesterday, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (Assembly Bill 375). 

"With GDPR now in full effect," comments Richard Henderson, global security strategist at Absolute, "I've been expecting legislation such as this to start to reach consumer-focused states in the US for some time. Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come."

The California Act will not come into effect until the beginning of 2020 -- but it will undoubtedly make firms like Exactis re-evaluate what they do, how they do it, and how they secure it. The legislation says, for example, "The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified."

Meanwhile, 'victims' of the Exactis breach are not waiting for the new law. A proposed class action was lodged in the Florida federal court on Thursday, claiming that Exactis made no attempt to follow best practice guidelines to protect the data. "Despite these well-publicized Senate and other expert reports, defendant failed to heed the recommendations, and inexplicably left its server -- and the personal information which rested thereon -- vulnerable and available to even the most basic cyberattack," claims the suit. It asserts negligence, unjust enrichment claims, and claims under Florida's Deceptive and Unfair Trade Practices Act, and seeks compensatory, punitive, and exemplary damages.

Referring to the California Act, Henderson adds, "I think we are on the threshold of a new period of customer-focused data protections. State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they've had enough."

Related: Elasticsearch Servers Latest Target of Ransom Attacks 

Related: Honeypot Catches 8,000 Attempts to Exploit Critical Elasticsearch Flaw 

Related: Privacy: Why Europeans Think You're Inadequate 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.