In the information age, it can be difficult to identify who online knows about you. Many of us accept that Google and Facebook maintain profiles about who we are. We use their services, and in return they use this data to target advertisements in a way that is most effective – it’s how they can afford to provide these free services to billions. However, Google and Facebook aren’t the only companies who hoard user data. Exactis, a company you’ve likely never heard of, operates a “data warehouse” of more than 3.5 billion records for use in digital marketing, and some of this data was available to anyone willing to look for it.
In mid-June, security researcher Vinny Troia identified 340 million records, which included interests, contact information, and information on family members, in an unprotected Exactis ElasticSearch database (ElasticSearch is a “big data” search and analysis platform). No social security numbers or financial information were found; however, these profiles contained an alarming amount of data. In an interview with WIRED, Mr. Troia said, “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
Exactis and the FBI were contacted, and Mr. Troia confirmed the database was no longer accessible. Exactis has not confirmed these findings at this time.
With this in mind, there are a few questions you should ask yourself after any large breach of personal information: “Why is this information important?”, “How can I make sure my organization’s data isn’t out there?”, and “How can I protect myself?”.
This database would be a treasure trove for someone interested in launching a spear phishing (i.e., highly targeted malicious email) campaign. After all, if this data helps marketers convince you to click on an advertisement, it’s equally valuable in convincing you to click on a malicious link. Phishing is still one of the most popular attacks, and with as many as 22% of people failing simulated phishing tests last year, there is a high potential for success. Phishing is one of the most common infection points for ransomware, like Cryptolocker.
All organizations hold sensitive data, which may include client payment information, employee data, or simply the “secret sauce” that gives them a leg up on the competition. You may think this data has little value to those outside your office, but losing this information would lead to a breach a trust between you and your clients, which could have a long-lasting impact on your reputation and could ultimately lead to a loss of business. You should always know what data you have and where it’s located. This can be achieved by having strong policies that dictate how and where data can be stored, and regularly assessing your network for compliance, vulnerabilities, and improper configurations that may allow someone outside of your organization to access sensitive information.
You can protect your organization by actively testing your employees with simulated phishing emails and providing user awareness training for all employees at least annually. A vulnerability assessment can identify vulnerabilities on your network and improperly configured servers that may unintentionally be present on the internet. You should also regularly monitor your corporate domains for activity on the Dark Web. Information like the data found on the Exactis database is often aggregated and sold on the Dark Web alongside passwords and other sensitive material. By monitoring for this activity, you can react by specifically changing passwords to reduce the risk of an account breach.
It’s important to remember that the United States lacks general information security regulations but instead relies on industry specific regulations (e.g., HIPAA) to govern how personal information is handled and define penalties for noncompliance. Europe’s General Data Protection Regulation (GDPR) recently took effect and provides guidance on how data, like that from the Exactis database, is to be secured and what rights individuals have to secure their data. GDPR has caused some popular websites to block access from the EU while they work on complying with this regulation. It’s only a matter of time until similar regulations are enacted in the United States, so taking steps now to identify and protect your sensitive data may save you from headaches down the road.