The Exactis Data Breach: Paving the Road to Data Dystopia (or a US GDPR?)

Have you heard yet about the Exactis data breach? With allegedly 340 million records exposed, this one looks ugly.

As I performed a quick visual scan of the early headlines regarding this breach, which was originally broken by Wired, I couldn’t help but repeatedly flinch each time I saw the term “data leak” paired in such close proximity with a number as massive as 340 million. No doubt, with the incessant litany of breaches—even of such colossal scale as this one, audiences are probably well along the course of numbness or apathy… but outraged? Maybe.

Perhaps I’m nitpicking, but when breaches reach the scale of tens or hundreds of millions (or billions, in the case of the Yahoo breach), I think we need to devise a more descriptive nomenclature. A leak connotes a small stream of data, perhaps pooling into a puddle, left unattended. A “leak” can be fixed rather simply, conjuring up that fable of the brave Dutch lad who saved the fate of Holland by plugging up that leaky dike with his finger. Without his courage and simple maneuver, the Netherlands would be Waterworld, or so the tale goes.

No, this leak won’t be mopped up so easily. It’s more akin to data-splatter spanning a multi-site crime scene.

So How Did It happen, and What’s Next?

Let’s first summarize what we know.

As Andy Greenberg of Wired puts it, “You’ve probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you.”

And just how is that?

Exactis is a marketing and data aggregation firm, based in Florida. They basically mine and acquire data using cookies as well as through partnership agreements, and then sell that data to marketers and resellers.

On their homepage, Exactis describes itself as “a leading compiler and aggregator of premium business & consumer data. With over 3.5 billion records (updated monthly), our universal data warehouse is one of the largest and most respected in the digital & direct marketing industry”.

What kind of data do they acquire, handle, and sell? Well, a surprisingly broad and varied aggregation of data. Imagine having your social media, dating, career/work networking profile, and data from various other vendors (commerce, pet-sitting, etc.), services, and other websites you visit all amassed in one centralized, easy-to-access place. Apparently, too easy to access. In fact, according to Vinny Troia, who runs Night Lion Security, the 2-terabyte database was left exposed to the internet without authentication! I guess for some folks, that sure beats having to remember a password (but, there are actually awesome tools for that), let alone use a multi-factor method.

As Curtis Franklin Jr. wryly mused in his Dark Reading article about the breach, “What happens when you leave a database filled with personal information open to the Internet? People find it.”

Whoops. And, in fact, Troia apparently just stumbled upon the trove while seeking out ElasticSearch databases, using the Shodan tool. Shodan bills itself as “the world's first search engine for Internet-connected devices,” and is routinely used for discovering/profiling IoT devices, monitoring a network footprint, and more. Exactis' databases popped up in Troia’s Shodan search results, and, he simply accessed the databases. As reported in Wired, Troia discovered databases containing records for 230 million consumers and 110 million businesses (note that Exactis’ own website claims they have data for 21 million “distinct” companies).

The data is no longer accessible and Exactis has not commented on the alleged breach as of this writing. However, at first reveal, this breach seems similar in nature to the recent (well, recently reported anyway) Uber breach involving unsecured engineer credentials hosted on Github. Was the data exposed from the Exactis breach another casualty of security corner-cutting, pedal-to-the-medal DevOps processes? If so, will it help direct more emphasis on DevSecOps? It’s too early to tell, but worth tracking as this unfolds.

What’s the Damage & Fallout?

According to Wired, every data record in the exposed databases has more than 400 data points on characteristics that include such information as:

• Smoker/non-smoker
• Religion
• Political preference
• Browsing data
• Purchasing data
• Dog or cat ownership
• Do you care about the use/misuse of your data?

Ok, I made up that last one, but it seems like a worthy enough piece of information to (want to) know about someone.

These pieces of data can allow for highly targeted web ad campaigns, and in the wrong hands, phishing campaigns and other social engineering exploits—despite the fact that the exposed data is not reported to include social security or credit card numbers.

But, is the data in the wrong hands? Probably. It would be naïve – borderline irrationally optimistic (like on par with expecting, no, believing, the Browns to legitimately compete for the Super Bowl this year)—to assume otherwise. Troi found the unguarded data inadvertently—there are legions of motivated hackers working around the globe with increasingly advanced arsenals of exploit toolkits at their disposal, including ones leveraging automation, machine learning, and AI to find and extract data. The Exactis database was easy pickings.

However, expect Exactis and/or their partners to issue a boilerplate notification to affected parties offering the usual precautionary consolation credit surveillance and other services, while playing up the notion that, since no reported misuse has been reported (yet), the data “may” not have fallen into the wrong hands. Whew, crisis averted.

Security as a Competitive Differentiator, GDPR, and other Musings

Throughout their website and blog, Exactis repeatedly touts the breadth and accuracy of their data, and the high standards to which this is maintained. But, brought into focus by this breach, concepts such as data security, information governance, data protection, and data privacy seem glaringly absent.

As Nathaniel Mott of Tom’s Hardware reflected, “…It seems like the general public is doomed to be compromised by data brokers they don't even know exist.”

Across the pond, GDPR is in effect and now enforceable (as of May 25th, 2018) to ensure high stewardship standards for the data of EU citizens, leveling hefty penalties on organizations that run afoul of GDPR rules. Assuming GDPR proves operationally feasible over the long run, will the uninterrupted onslaught of egregious IT security lapses and data handling abuses nudge U.S. policies further down that path? Or, should we imagine an entirely different data dystopia, where organizations are shamelessly negligent with user/customer/partner data with impunity—or even profiting off of their own data breaches. Could publicity from this breach actually put Exactis on a more profitable trajectory? After all, in the wake of this “alleged” exposure, they are essentially receiving free promotion of their comprehensive, diverse database of information on so many U.S. citizens and businesses. We’re talking over 400 data points! It seems perverse, but we’ve witnessed weirder outcomes.

How Can Organizations Prevent Exactis-like Breaches?

The best perimeter defense in the world is ultimately no match for human folly, and it has never been. Moreover, the cloud and the lightning-fast portability of data and workloads at massive scale—which is just the way modern IT works today—makes it ridiculously easy to sneak off with staggering amounts of data.

We don’t have much of the breach details yet, but there are at least several security layers that most likely could have lessened the scope of this breach, outright prevented it, and/or helped to quickly identify issues along the way to remediate it. Here are a few:

1) Data loss prevention (DLP) software apply contextual parameters on data that prevent data from being moved where it shouldn’t, and to restrict who can move the data and to whom and where they may move it. Simply put, it helps prevent unauthorized use or misuse of data.

2) Privileged access management (PAM) solutions can protect against external attacks as well as inside threats (whether arising from malice or negligence). Enforcing least privilege and exercising tight control and auditing over privileged users vastly reduces the threat surface, while also minimizing the scope of damage that can potentially occur from an attack, or merely arising from an oversight of an overworked employee, or one just having a rough day. Privileged password management solutions, ideally integrated within PAM, can discover and onboard privileged user and application accounts, ensuring password security best practices (such as having a password in the first place!).

3) Configuration management solutions… Could a misconfiguration have broken a policy rule, resulting in the public availability of the Exactis database? We don’t know yet, but a simple misconfiguration error can definitely have broad, far-reaching consequences like this. That’s why, along with the right processes, it’s critical to have tools that scan for misconfigurations and help ensure compliance with policies (assuming these are well-written).

Exactis hasn’t even coughed up a mea culpa regarding the “alleged” breach, let alone outlined the missteps leading to it, so details are still scant. But would implementing processes and solutions (such as the ones summarized above) that help prevent humans from making big mistakes have prevented the Exactis breach? Maybe. Most likely even, but we’re sure to learn more in the coming months.