Blog

Exactis Data Breach Takes Cybersecurity Professionals Back to Basics

In June 2018, cybersecurity researcher Vinny Troia discovered one the largest data breaches in history. Data broker Exactis had exposed a database of nearly 340 million records of individuals on a server that was publicly accessible. That amounted to 2 terabytes of personal and business data, according to Wired Magazine. It’s unclear whether criminals actually stole the data, which was left exposed for the taking.

Nevertheless, the exposure of Exactis records makes it one of the largest in the past decade: Equifax lost control of 145.5 million people's data, while the Yahoo hack affected 3 billion accounts.

What Every Cybersecurity Engineer Knows (but doesn’t always practice)

“What's most shocking about the leak is how Exactis, which prides itself on having one of the world's largest universal data warehouses, has failed to secure their data with the most basic measures, i.e., storing them all on private servers, firewalled, etc.,” Chris Olson, CEO of The Media Trust, told SC Magazine. “Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers.”

The news is reminiscent of revelations in 2017 that Verizon-NICE, the Republican National Committee (RNC), World Wide Wrestling Entertainment and Dow Jones had customer records exposed on Amazon Web Services (AWS) S3 buckets. AWS offers cloud services to companies and individuals to store records, develop applications, and deploy software. Verizon alone had between six and 14 million customer records exposed that same year. In all the instances, IT departments had simply left the security functionality of the services essentially untouched.

RedLock, a cybersecurity vendor, estimated that 58% of organizations using cloud storage services such as Amazon S3 and Microsoft Azure Blob storage exposed their accounts to the outside world.

What Was At Stake in the Exactis Breach?

While the Exactis contact database did not contain social security or credit card information, it held more than 400 other characteristics of individuals. Records held data that included phone numbers, home addresses, email addresses, interests, habits, and the number, age, and gender of a person's children. The database also divulged whether a person smokes, their religion, whether they have dogs or cats, and their clothing size.

Cybersecurity Administrators Need to Think Like Hackers

Wired reported Troia found the database while using Shodan search tool . Shodan enables any user to scan for internet-connected devices.

According to the Wired article, Troia said “he'd been curious about the security of ElasticSearch, a popular type of database that's designed to be easily queried over the internet using just the command line.” Troia used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. His research revealed that the Exactis database was not protected by any firewall.

"I’m not the first person to think of scraping ElasticSearch servers," he says. "I’d be surprised if someone else didn't already have this."

Spear Phishing Just Got A Lot More Accurate

The exposure has several implications for cybersecurity administrators, network administrators, and IT department managers.

Of course, the most obvious lesson to learn from this and the AWS S3 exposures is to make sure firewalls are up and properly configured.

ThreatIntelligencePlatform.com expects enterprises and individuals to see an increase in the accuracy and frequency of spear phishing attacks. Phishing involves emails that seek to trick individuals into downloading malware onto their computers and networks or into divulging access credentials. Individualized spear phishing attacks will become better targeted and more convincing than in the past because of data breaches like Exactis’s.

“The data reported to have been leaked [by Exactis] is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams”, who contended that consumers and businesses should be outraged. “Phishing scams are more successful when the attacker can craft messages that are relevant to the victim—utilizing data such as addresses, personal interests or information about their family, John ‘Lex’ Robinson, cybersecurity strategist at Cofense,” told SC Magazine.

In the event of a data breach, ThreatIntelligencePlatform.com offers a host of APIs that will assist in tracking down the source of malevolent websites and their locations.

Nevertheless, IT professionals shouldn’t be making things harder for themselves by not adhering to the fundamentals of cyber defense. It is incumbent on them to train individual users about how to identify and report phishing attacks. They also need to bolster the policies and procedures that will avert another Exactis fiasco. And they need to follow those guidelines.