UPDATED 22:42 EST / JUNE 27 2018

INFRA

Marketing firm exposes 340M records via misconfigured cloud storage

In what is likely the largest cloud misconfiguration data exposure to date, a little-known Florida marketing firm has exposed 340 million records online to all and sundry.

The exposure by Exactis, discovered by security researcher Vinny Troia, included 2 terabytes of data relating to 230 million people, nearly every U.S. citizen and resident over the age of 18, as well as 110 million business records.

The data itself did not include social security numbers nor credit card details versus every conceivable other data point about the individuals and businesses listed. The records included names; addresses; phone numbers; emails addresses; interests and the number, age and gender of their children with the average record including 400 variables on characteristics of each person and business listed in the database.

“It seems like this is a database with pretty much every U.S. citizen in it,” Troia told Wired, adding that “it’s one of the most comprehensive collections I’ve ever seen.”

The good news is that there is no evidence that the database had been accessed by bad actors. But the case highlights both the need for improved cloud-based security and, in the post-Equifax age, issues relating to companies gathering this much data to begin with. Exactis itself has yet to confirm the data was exposed nor comment on the alleged number of records found.

John Robinson, cybersecurity Strategist at Cofense Inc., told SiliconANGLE that while it doesn’t appear that Social Security numbers were comprised, the Exactis data leak should enrage consumers and businesses alike.

“The sheer amount of cloud databases left accessible on the Internet is astounding, especially when one considers the type and amount of data that users store on it without giving it a second thought,” he said. Just because the server was left open to the public, he noted, does not mean it was stolen by malicious hackers, but that’s not certain.

“The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams,” Robinson said. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim — utilizing data such as addresses, personal interests or information about their family.”

Carl Wright, chief revenue officer for AttackIQ Inc,. focused on the lack of security, noting that “consumers are rapidly realizing that there are companies out there that have amassed significant information on them but are failing to provide adequate cybersecurity protections.”

“These companies are using this data to generate significant revenue and in most cases providing little to no value to the consumers,” Wright said. “When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cybersecurity protections are able to defeat or detect attackers.”

Photo: jepoirrier/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU