Exactis Data Leak Reveals the Dangers of Less Efficient Security Measures around People’s Data
The new data leak at Exactis, a marketing and data-aggregation firm based in Florida, presents a great many opportunities for cybercriminals to launch any number of attacks on unsuspecting victims over the next several months.
Exactis, which collects loads of personal data on nearly every U.S. adult, recently leaked detailed information on both people and businesses in the country, according to an exposé by a security researcher.
The exact number of people that this breach has affected remains unknown, but reports indicate that about 340 million records were involved in the leak on the company’s publicly available server.
The Florida-based data aggregation company claims to be in possession of data on a whopping 218 million U.S. adults, including some 110 million households. It further has some 3.5 billion records (digital, consumer, and business records).
Exactis data leak a lesser threat?
Many potential victims may take comfort in the fact that Exactis does not collect people’s payment information such as credit or debit card data, nor their Social Security Numbers. The marketing firm is largely interested in personal information – including names, addresses, and other very basic and specific details about people’s private lives such as hobbies, religion, and individual preferences.
Additionally, unlike the Equifax data breach that involved massive loss of people’s payment information into the hands of cybercriminals, no evidence has come to light yet indicating that the leaked data on the Exactis server actually fell in the hands of anyone with malicious intent.
According to the individual who discovered the breach, Exactis has since taken protective measures to secure the data.
However, this is not a guarantee that there’s no need for alarm. There is no way to tell just how long the individuals who infiltrated the server might have stayed there undetected. Neither does anyone know the details of their exact intent nor the kind of information they might be interested in.
What is now public knowledge, however, is that the exposed information also included home addresses, email addresses, and phone numbers – which can be a time bomb in the hands of a bad actor.
What was the mistake that led to the Exactis server leak?
The data leak at Exactis was possible because the company left the information up on a public server without any protection around it. This way of storing information in the company left the massive collection exposed for anyone who cared to access and use it. There’s no denying how tempting something like this would be for a data thief, as the database had information about “pretty much every U.S. citizen in it.”
While Vinny Troia, the security expert who exposed this leak admits to not knowing where Exactis obtains all their data, he confirms that the database is truly one of the most comprehensive information resources available of its kind.
Should this data security breach and the numbers associated with it be anything to go by, it would be one of the most detrimental to hit the U.S. in a while. This data leak would beat 2017’s Equifax breach hands down. The Equifax breach has held the record as being one of the most devastating security data breaches to date. It affected the highest number of consumers – up to an estimated total of 145.5 million individuals.
What potential risks are victims of this breach are facing?
The damage is done, so what are the repercussions? What does this mean to the individuals and businesses whose details have been breached? What possible solutions do they have at their disposal?
Persons whose personal details are now out there can expect to receive streams of annoying spam emails in their inboxes.
If spammers got hold of someone’s personal information from the Exactis data leak, this would mean a fresh new list of email addresses to send unsolicited offers to. This class of cybercriminals makes money off signals such as website pop-up ad impressions or email response rates. Clicking on their unsolicited emails would be generating money for them without intending to.
A direr possibility, the data might fall into the hands of identity thieves. These criminals could use the email addresses obtained from the leaked collection to create any number of phishing schemes.
The consumers who have lost their personal information, therefore, run the risk of being targeted by phishing attack emails, which involve criminals impersonating legitimate senders attempting to trick them (unsuspecting recipients) into clicking malicious links in these emails. Clicking such malicious links would trigger the download of malware onto these victims’ computers.
Attackers may also trick these victims whose emails they (attackers) have gathered, into giving out some confidential and more valuable information such as usernames and passwords, credit card data, and even Social Security numbers.
Knowing what to expect is the first step in preparing for the consequences of this breach. At the end of the day, you must protect yourself. It is utterly important that you do not open any email that originates from an untrusted source. Better still, consider using a suitable email authentication service to protect you from interacting with malicious emails. Watch for phishing schemes—expect them to come to your inbox and be prepared. Don’t be fooled by emails that seem a bit too urgent. Cybercriminals always use fear to get you to click on their bad links.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.