It's been discovered that a marketing company left almost two terabytes of sensitive data exposed on the internet for anybody to access. And what was inside that massive haul of data? The detailed personal information of 230 million consumers and 110 million business contacts - including phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children, education level, credit rating, interests and more. In short, "pretty much every U.S. citizen" is included in the database. As Wired describes, the level of detail exposed in the data breach is extraordinary:
"Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel."
The only saving grace is that the leak does not appear to have included any credit card data or Social Security Numbers. That's obviously a relief, but there are still clear opportunities for criminals to exploit the information if they managed to get their claws on it. The company that left itself exposed is Florida-based Exactis, a marketing and data aggregation firm that you almost certainly never heard of before the story made headlines courtesy of security researcher Vinny Troia. As Troia tells Wired, he found the data when combing through the internet for publicly accessible servers running ElasticSearch databases. The Exactis database was not protected by a firewall. In other words, it was easy for Troia to collect the information. Thankfully, Troia is one of the good guys - and he informed Exactis and the FBI about his discovery. As a result, the massive database is no longer accessible online. But the obvious question still needs to be asked - might others with less honorable intentions have also grabbed the data? It certainly seems a possibility, especially as we simply don't know how long the data had been left exposed on the internet. Weeks? Months? Years? We don't know whether online criminals might have also accessed the sensitive data, and it's perfectly possible that Troia was indeed the first person to discover the database. Let's pray he was. But when it comes to our most personal information, we can't just rely on prayers. Organizations that store vast amounts of information about individuals need to have proper security measures in place to ensure that it cannot fall into the wrong hands. Companies like Exactis find themselves in a quandary. They need data to do their business. In fact, they're in the data broker business, which means without significant amounts of data, they have no way of doing work. As Exactis's own website proclaims:
Data is the fuel that powers Exactis. Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision.
And yet, it's evident that collecting, managing and securing large amounts of personal information about consumers and businesses can clearly be a significant challenge. Just ask Equifax, another company you probably never realised you had any relationship with, and yet knew an awful lot about you. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
