You’ve heard of Florida. Who hasn’t? But we bet you’ve never heard of a Florida-based marketing company called Exactis.
Only by a stroke of good fortune did this company avoid being hauled into the Hall of Cyber Infamy, alongside Experian, Yahoo, Target and near countless others who have all unwittingly exposed sensitive customer information by the million bucket load.
We say ‘good fortune’ advisedly as we don’t know, nor does anyone else, whether the detailed personal information of 230 million US consumers and 110 million business contacts have been scooped up by hackers.
Added up this information probably covers nearly all Americans.
What we do know is that this vast quantity of data, two terabytes in all, was sitting in a huge database on the internet without even a firewall for protection.
Luckily, a security researcher called Vinny Troia came across it when he was searching the internet for publicly accessible servers running ElasticSearch databases.
Vinny was probably a bit gob smacked when he discovered it, but to his credit, he informed Exactis and the FBI.
It’s not only the huge quantity of data that was sitting there unprotected and vulnerable, probably praying that a hacker shark wouldn’t come along, but also the level of detail potentially exposed:
- Phone numbers, addresses, dates of birth and estimated income
- Number of children, age and gender of children
- Education level and credit ratings
- Smoker or non-smoker, cats or dogs in the home and interests as varied as scuba diving and outsized clothing
In fact there were 400 variable bits of information based on a wide range of characteristics. The one saving grace is that credit and debit card and banking information wasn’t in the database.
The big question is though whether the information was accessed by hackers before Vinny Troia came across it, or was he the first person to discover it?
Exactis must certainly be praying this is the case, or its goodbye Exactis. The FBI is no doubt carrying out a due diligence of sorts by scanning the dark web for this data.
But, and here’s an issue that surfaces constantly, is whether organisations that store vast amounts of information can be trusted to secure it.
A firewall is the most basic of protective measure and its absence undoubtedly raised a lot of eyebrows at the FBI, and elsewhere.
A potential disaster may well have been averted but it also underscores the need for individuals to protect their personal data
because clearly those are making money out of it aren’t.