8 Million+ Records Exposed in Massive Data Theft
By: Jim Stickley and Tina Davis
March 25, 2019
It’s not looking good for the public at large in terms of data theft. With a shocking 12,449 more incidents since last year, that translates to a 424% increase in just one year. The latest massive data breach of a data marketing firm exposed roughly 800 million records belonging to U.S. citizens who had no idea their data was being collected, never mind on such a massive scale. The personally identifiable information (PII) of victims included email addresses, dates of birth, street addresses, phone numbers, and much, much more.
The data firm collected massive data on individuals and then sold it to marketing firms who use it for advertising to target their markets. Although data collection is big business, the reason for this breach may ruffle a lot of feathers–hackers did not perpetrate it. All 800+ million records were left unsecured on a public-facing server accessible to anyone who looked for it.
Although the leaky data collection firm has not been publicly identified, what happened is now very public. Unfortunately, it’s not the first time a breach like this has happened. Just last year, Exactis, a Florida-based data collection firm, experienced a breach exposing over 340 million records. Incredibly, the Exactis breach was also caused by unprotected data on a public-facing server. At a time when hackers are more successful than ever perpetrating data breaches, one would think data collection companies would keep their information on heavily protected servers. Instead, they are literally handing hackers the PII of millions of unsuspecting victims. Organizations are on the hook and need to take stock and review and update security policies and procedures, ensure that all servers and databases are properly configured, and also security policy training is on the agenda as a hot topic throughout the year. Threats evolve. New ones appear. Providing training once a year won't cut it anymore.
Outrage aside, the companies involved removed the servers immediately after being notified by researchers who stumbled upon them. However, the quick action was too little too late. The data of both firms had already been exposed and stolen.
Keeping data secured should be the responsibility of those who collect it, especially when it’s done solely for profit. Data collection is big business and big money, making it even more difficult to accept that securing enormous amounts of data was clearly not even a thought. Once again, the responsibility for protecting one’s own PII rests on the individuals and not those who collect it. Getting back to the basics of online protection is now more important than ever. By now, it’s safe to assume your PII has been pilfered by any one of the all too common data breaches, whether they were from five years ago or from yesterday. Keeping an eye on credit card and financial accounts on a regular basis is now a necessary part of staying safe and aware. There are also credential checker tools available to see if your PII is already out there and possibly up for sale on the dark web. We’re all aware of the need for very strong login passwords and using 2-factor authentication (2FA) or multifactor authentication (MFA) adds another layer of security to your login. The war against data breaches is on and consumers are on the front line of defending their PII.