Data Aggregation Firm Leaks 340M Records — Left In Plain Sight

By   ISBuzz Team
Writer , Information Security Buzz | Jun 29, 2018 07:15 am PST

Exactis said to have exposed data of 340M people, more than Equifax breach. Similar to many recently-disclosed breaches, the information what left on a publicly accessible server… no need to beat that dead horse, but the 2 terabytes worth of data appears to go into excruciating detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children. Below is security experts comments highlighting the importance of data protection.

Anurag Kahol, CTO at Bitglass:

ANURAG KAHOL“Consumers should be concerned about the type and volume of information that is collected, spliced together and housed in databases such as the one that was leaked by Exactis.

Exposing roughly 340 million records – or a database of nearly 2 TB – to the public internet is a significant offense by the organization and one that we’ve seen dozens of times in the past year, yet it is unlikely that we’ll see anything change unless organizations take the initiative in protecting corporate data.

Regulations like GDPR have already compelled many to reassess their security postures, to deploy technologies that mitigate risk of data loss, and to limit transfer of sensitive consumer data to high-risk third parties.”

Ruchika Mishra, Director Products and Solutions at Balbix:

ruchika“The Exactis breach is a microcosm of today’s enterprise risk landscape. There’s no doubt in my mind that Exactis knew exactly what type of information they had and the ramifications there would be if there was a breach, but the problem with most enterprises today is that they don’t have the foresight and visibility into the hundreds of attack vectors – be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts — that could be exploited. And not only that, organizations also don’t have visibility into all of their own IT assets – devices, users, and apps, so they don’t know the complete scope of the assets they need to protect.

It could be a while before the real impact of this breach is truly known, and as we’ve become accustomed to, the extent of this breach could be much worse than what was initially reported. It will require a fundamental shift in the way organizations perceive their risk, but given the skills shortage and the exponential growth in attack tactics, the only chance IT security teams and service providers will have is by re-wiring the way they think about risk and putting their full effort into understanding how to avoid breaches of information, IP or services that mean the most to their business.

The constantly changing device demographics and increasing sophistication in cyberattack techniques, including an increase in recent multi-pronged attacks require a perspective change in an organization’s cybersecurity strategy to focus on a more proactive approach to security by understanding the value of an asset, endpoint, database or person based on its impact to the business’ bottom line and avoiding getting breached in the first place.”