Marketing Firm May Have Leaked Personal Info on Every Adult in the US

A little-known marketing and data-aggregation company called Exactis has compromised records for about 230 million consumers in the US. The records were part of a bigger leak of 340 million individual records. The remaining 110 million records belonged to businesses.

Estimates by the U.S. Census Bureau say that there are about 244 million adults. This means that the leak may have compromised the overwhelming majority of adult Americans. This also means that this would be one of the biggest leaks in history, though still dwarfed by the Yahoo hack that affected 3 billion accounts.

The records include phone numbers, email and postal addresses, in addition to over 400 personal characteristics. Those characteristics are rather mundane – the info includes whether the person is a smoker, a dog or cat owner, their religious affiliation, and the gender of their children, to name a few. This may not seem so serious at a first glance – no financial information or social security numbers were included – but the leak still means that scammers can harvest that info to profile individuals or steal their identities.

Hack vs. Breach

Though the terms are often used interchangeably, there are some differences. A breach describes a situation where data is left unsecured, typically the result of negligence. A hack, on the other hand, happens when cyber attackers purposely compromise, steal, and exploit information.

The breach was uncovered by a researcher by the name of Vinny Troia, the founder of a New York-based security company called Night Lion Security. Troia discovered that Exactis had exposed close to 2 terabytes of data on a publicly accessible server unprotected by any firewall.

Troia said that he found records for every person he searched for in the database, he’s found. Online tech publication WIRED had asked him to find the records of 10 specific people in the database, he managed to find six of them.

Troia contacted both Exactis about his discovery; the latter seems to have protected the data in response. There are no indications yet that the database had been accessed by any hacker. WIRED also said that it had independently analyzed a sample of the data Troia shared and found that “in some cases the information is outdated or inaccurate.”

Data breaches have risen dramatically over the past decade. The number of significant breaches reached 1,300 in 2017, versus fewer than 200 in 2005.