EXACTIS DATA BREACH: THE RISK OF DATA EXPOSURE WITHOUT ENDPOINT PROTECTION
Earlier this year Exactis, a Florida-based marketing data broker, had their database (close to 340 million individual records) exposed on a public server. Though hacking efforts didn't expose the data, the personally identifiable information was inexplicably left on an unsecured server without basic security safeguards.
OVERVIEW
If not for a fortuitous discovery, the second largest data breach in US history may still be unknown. Earlier this year, a security researcher checking the vulnerability of the ElasticSearch public database came across a finding too massive to ignore. The entire database for Exactis, a Florida-based marketing data broker, was discovered wide open and accessible to anyone who cared to look. From there, the researcher notified both Exactis and the FBI, resulting in the data being secured – but not before an estimated 340 million records belonging to American individuals were publicly exposed. Not since the Equifax data breach of 2017 that revealed the financial data of 148 million of its customers, has another breach surpassed it until this one. Only the Yahoo hack of 2013, disclosing the data of 3 billion of its users, stands as the most egregious data breach in internet history. Founded in 2015, Exactis now has the dubious distinction of being second only to Yahoo in scope and sheer number of personally identifiable information (PII) exposed – nearly two terabytes worth. The company has yet to acknowledge the massive breach either in public statements or on their website. Exactis disclosed that they are investigating their breach – believed to be the result of leaving the data entirely exposed and unsecured on a public server.
Since 2015, Exactis is in the business of supplying detailed consumer data to advertisers in an effort to more accurately target their products and services. The depth and breadth of the information Exactis makes available to those who purchase it is staggering. The company uses cookies from social media posts and other sources which are then spliced together to create aggregate files – using more than 400 variables for each profile. The data is then warehoused on their public server. Just some of the PII collected includes email and physical addresses, phone numbers, purchase preferences, age and gender of children and religious affiliations. It’s also indicative of the current state of data collection many are not aware even exists. Despite beliefs about the intrusive nature and sheer amount of data they collect, it defies logic that Exactis would store their PII on a public-facing server – particularly in an environment where data breaches are sharply increasing. Shortly before the alarm bells rang, an Exactis blog post unwittingly spoke to the irony of their self-inflicted offense “The most useful…data in the world won’t do a business any good if it isn’t able to safeguard that data.”
CHALLENGE
The difference between the Exactis data breach and most others is that hacking efforts didn’t expose the data. The PII was inexplicably left on an unsecured server without even the most basic security safeguards – firewalls, encryption and password protection. Security experts know that Exactis is far from the only organization collecting massive amounts of data, also knowing this case is symptomatic of a much larger problem – the inability or unwillingness to give data security the commitment it requires. In the Exactis case, disregard for the PII of 340 million American consumers has consequences yet to be established. The detailed data they collected and put out for public consumption holds the door wide open for hackers, giving them the ammunition they need for countless socially engineered attacks. In the case of Exactis and others, a multi-layered approach requiring commitment at the highest levels of an organization is needed, and appropriate cyber-resilient security measures are necessary. Many believe it’s one thing if an organization finds out about a security vulnerability after being hacked, it’s quite another if they show reckless disregard for security from the outset. The Exactis breach is indicative of entities still not securing their data properly, despite knowing better. It also shows hackers aren’t the only the only threat actors to be concerned about.
SUMMARY
The Exactis case exposed a lack of foresight into the unprotected attack vectors. Although the breach was ultimately discovered and the data was eventually secured, the length of exposure, and the number of days hackers had to access the data is unknown. According to a 2018 study by the Ponemon Institute, the Mean Time to Identify a threat is 197 days. Meaning, it commonly takes organizations 197 days to identify attackers evaluating defenses, attempting to breach those defenses, and moving throughout the network as a threat. enSilo automates and orchestrates detection, prevention and automated real-time response against advanced malware and ransomware without burdening cybersecurity staff. Our data protection solution is a unique endpoint protection platform, streamlined to address the needs and challenges organizations face, to ultimately stop data breaches in real-time and automatically orchestrate incident investigation and response. Our security motto is to protect data from malicious threats in real-time, protecting data from any type of breach, at any stage of the attack, under any circumstances.