In what is likely the largest cloud misconfiguration data exposure to date, a little-known Florida marketing firm has exposed 340 million records online to all and sundry.

The exposure by Exactis, discovered by security researcher Vinny Troia, included 2 terabytes of data relating to 230 million people, nearly every U.S. citizen and resident over the age of 18, as well as 110 million business records.

The data itself did not include social security numbers nor credit card details versus every conceivable other data point about the individuals and businesses listed. The records included names; addresses; phone numbers; emails addresses; interests and the number, age and gender of their children with the average record including 400 variables on characteristics of each person and business listed in the database.

“It seems like this is a database with pretty much every U.S. citizen in it,” Troia told Wired, adding that “it’s one of the most comprehensive collections I’ve ever seen.”

The good news is that there is no evidence that the database had been accessed by bad actors. But the case highlights both the need for improved cloud-based security and, in the post-Equifax age, issues relating to companies gathering this much data to begin with. Exactis itself has yet to confirm the data was exposed nor comment on the alleged number of records found.

John Robinson, cybersecurity Strategist at Cofense Inc., told SiliconANGLE that while it doesn’t appear that Social Security numbers were comprised, the Exactis data leak should enrage consumers and businesses alike.

“The sheer amount of cloud databases left accessible on the Internet is astounding, especially when one considers the type and amount of data that users store on it without giving it a second thought,” he said. Just because the server was left open to the public, he noted, does not mean it was stolen by malicious hackers, but that’s not certain.

“The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams,” Robinson said. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim — utilizing data such as addresses, personal interests or information about their family.”

Carl Wright, chief revenue officer for AttackIQ Inc,. focused on the lack of security, noting that “consumers are rapidly realizing that there are companies out there that have amassed significant information on them but are failing to provide adequate cybersecurity protections.”

“These companies are using this data to generate significant revenue and in most cases providing little to no value to the consumers,” Wright said. “When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cybersecurity protections are able to defeat or detect attackers.”

Photo: jepoirrier/Flickr