Fizzle of the Week: Exactis
“Records are made to be broken.”
That famous quote has been assigned, in some variation, to Richard Branson, Michael Phelps, Red Auerbach, Karl Malone and Jackie Joyner-Kersee. And it’s possible that all of these people in fact said this at some point — since they are all record breakers.
Of course, when most people are talking about record-breaking events, they are talking about something positive. But, as consumers are reminded over and over again in the digital age, hitting new heights is not always good news.
No one, for example, wants to see a record-breaking amount of consumer data exposed against their will. And yet new and exciting milestones keep cropping up — and this week featured yet another one in what feels like an ongoing series.
According to reports originating in Wired, Exactis, a Florida-based marketing and data aggregation firm, managed to actually expose a database with 340 million individual records — roughly 230 million on consumers and 110 million on business contacts, according to Wired.
“It seems like this is a database with pretty much every U.S. citizen in it,” according to Vinny Troia, the security researcher who first discovered the problem.
Which, to be clear, was not a data breach. Unlike the last mass-compromise event in personal data security — the Equifax hack that exposed the data of 145 million American consumers — this information didn’t end up exposed because hackers worked hard to break in and steal the data out of Exactis’ database.
It seems that Exactis just accidently left all this information — all in about 2 terabytes of data — exposed to the open internet for anyone who knew how to look on a publicly-accessible server. Troia told Wired that he doesn’t know where the data is coming from, “but it’s one of the most comprehensive collections I’ve ever seen.”
And that comprehensive collection contains a lot of stuff most consumers wouldn’t want circulating on the web easily accessible. Phone numbers, home and email addresses, interests and the number, age and gender of people’s children were all contained within the publicly-viewable information trove.
On the upside, credit card information and Social Security numbers don’t appear to have been leaked. It is also, worth noting that as of this time it is not known if any hackers or other dark web information merchant types have found this database — though Troia did tell Wired he thought it was likely they had, because he didn’t find this flaw looking at Exactis specifically. He found it mostly by accident, while studying ElasticSearch, a popular type of database that’s designed to be easily queried over the internet
“I’m not the first person to think of scraping ElasticSearch servers,” he told Wired. “I’d be surprised if someone else didn’t already have this.”
As of this writing, Exactis has not returned media queries on the leak, or confirmed or denied its existence. The firm has, however, secured the exposed data so that it is no longer accessible from the open internet.
Those steps aside, however, experts are already predicting that fallout will likely be felt from this, even though the criminals did not have the most directly relevant information necessary for financial crime: card numbers and social security numbers.
“The likelihood of financial fraud is not that great, but the possibility of impersonation or profiling is certainly there,” noted Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center.
Moreover, Rotenberg noted, the leak might reveal to consumers just how much of their data is aggregated and traded, which might make them uncomfortable. Some of the data, he noted, is information that anyone could easily find through a public record search. But a large swatch of this data seems to issue from the sort of non-public information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports.
“A lot of this information is now routinely gathered on American consumers,” Rotenberg said, noting that many Americans might be just waking up to just how much of that data is collected into specific profiles on them.
Coming on the back of Facebook’s various adventures with user data, and the EU GDPR regulations going into effect, Rotenberg notes this might prompt yet another push for greater regulatory oversight of consumer data and how it is used in the U.S.
“It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life.”
Whether that push happens, and whatever effect it may have, for this week Exactis has earned the Fizzle top spot, for managing to compromise a record-breaking amount of consumer data — all because it didn’t put up something as simple as a firewall.
Sizzle
Two-sided markets: Gets not just a reprieve but affirmation and a sizzle, as the Supreme Court rules that anti-steering behavior from Amex was not antitrust behavior. The higher fees must take into effect the higher good dealt to customers and other competitive factors in the card industry, ruled the Supremes, ending an eight-year legal journey.
Whole Foods a Whole New Customer Base: Amazon may double its Whole Food customer base through Amazon Prime, as there are 30 million consumers who live near the stores … but as many as 70 million Prime consumers in the U.S. Greenfield opportunity amid the green veggies, it seems.
Self-Service Kiosks: Self service means self-propelled spending. Turns out in some stores the boost is 30 percent, as our own Unattended Retail Tracker shows the right combination of tech, mobility and service is in place. In the meantime the interactive kiosk market in the U.S. is slated to grow more than 7 percent annually.
Fizzle
Swipe Fee Settlements: Yes, the reputed $6.5 billion in the retail swipe fee settlement that is close to completion (via Visa and Mastercard) is a significant sum, but has been reserved ahead of that action. And the Amex ruling means that current fee structures may remain, which means that Walmart and other retailers’ efforts to gain a say in how fees are assessed may be a fizzle.
Retail Tax Decision: Online retailers get a jolt as states can collect more sales tax related to eCommerce. Stocks slip in sympathy – by way of example, Shopify is off 7 percent on the heels of the news. The taxman seems to be moving well beyond the physical realm.
Ponzi Schemes: Madoff Part Deux? Bank of America is targeted in class action suit that says that the banking giant allegedly helped foster a $102 million Ponzi scheme that defrauded hundreds of investors, chiefly by not reporting suspicious activity.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More