Exposed: Exactis’ Database of 340 Million Consumer Records
In late June, Exactis, a Palm Coast, Florida, company found itself at the center of seemingly every news program across the United States. The company had the indubitable honor of exposing the information of 230 million individuals and 110 million companies, which it had in its possession.
The information exposed did not contain customers’ account numbers, logins or passwords—the type of information which we normally associate with a data breach or data leakage. Its customer data wasn’t lost or exposed; rather, it was its product that was exposed. You see, Exactis is a data aggregator. The company collects, collates and then sells data associated with consumer behavior to companies interested in knowing whether a person has a dog or a cat, is a smoker or takes a glass or two of wine.
Interestingly, the security researcher who discovered the information, Vinny Troia, told Wired that he didn’t know from where the information was collected, “… but it’s one of the most comprehensive collections I’ve ever seen.”
Troia said that prior to the Wired piece being published, he had contacted both Exactis and the FBI, and that Exactis had changed the configuration of its ElasticSearch database so that it was no longer readily accessible. He explained how he found the database: He used Shodan to make a query on “publicly accessible servers,” and Exactis came up in the results.
In the ensuing weeks, we waited for Exactis to post a statement on its website explaining the leak, what was exposed and what consumers could do to protect themselves. We’re still waiting.
The Flagler County, Florida, news source FlaglerLive, also located in Palm Coast, was able to speak to Exactis CEO Steve Hardigree about the 340 million records in total that were accessible to the public. Hardigree’s take was that there hadn’t been a data breach nor data leak, because nothing was stolen.
Hardigee said that his company has been working with the security researcher who discovered the database was visible and with the Attorney General’s office as well. “We’re considered enemy No. 1 by the cybercommunity,” he said. “I don’t think it’s going to amount to anything because there’s not been any damage done to anyone.”
As a data aggregator, Exactis collects publicly available information. The company is comprised of less than a handful of individuals, most of whom work remotely. Their ability to scrape the information that consumers, companies or government entities make public is not unique. The compilation of this type of data is common in the marketing world.
Once the raw data is in hand and collated into individual profiles, they can create marketable demographic profiles on individual consumers, which are pure gold to marketeers. Unlike Facebook, which sold and availed to third parties its user’s information, Exactis started from the position of zero data and found information on the consumer (perhaps also from Facebook). These companies also don’t collect their data from observing the behavior of their customers, unlike ISPs, which collect your browsing habits while using their services, or your cable company.
To reiterate, Exactis did not interact with individuals to collect their data, it merely harvested data.
Hardigree noted to FlaglerLive how the fallout from the article had been brutal: innumerable calls from interested parties, media and customers, and at least one death threat. He noted that a few of the company’s partners had asked that their logos be removed from the Exactis website as they moved to distance themselves from the bad news.
Hardigree said his company was generating $350,000 in sales, but the damage done by the misconfigured ElasticSearch database may be the end of his company. “I’m not sure if there’s a way for us to come back,” he said.
The hanging question, then, is: Is the consumer wronged when publicly available information is collected by a third party and the third party then exposes this publicly available information?
