Another nightmarish cybersecurity event has recently occurred in the form of the Exactis data breach, reminding small businesses of the importance of maintaining robust network defense measures.
In this blog post, we will examine what happened in the Exactis data breach, why these breaches are dangerous to consumers and businesses alike, and the important steps companies should take to protect themselves against these cybersecurity threats.
Who is Exactis and What do They do?
Even though most people have never heard of them, Exactis is a successful marketing data and aggregation firm, which collects and sells a large amount of valuable consumer and business information to a wide range of clients. Their massive “universal data warehouse” contains a staggering 3.5 billion records made up of consumer and business contacts. Each entry contains a cache of relevant information that predicts and determines purchasing patterns and other behaviors.
Exactis primarily collects information on individuals using the power of cookies on websites. When an individual visits a website, a cookie serves as a small packet of data storing information on their behavior while on the site. Cookies are becoming ever more powerful, especially with the use of artificial intelligence. Many cookies now have the capability to link up with other cookies on different devices and websites to collect and share data and to provide a detailed picture of a user’s browsing habits and potential purchasing preferences.
What Happened?
During a routine security review by an outside entity, an expert discovered that Exactis’ ElasticSearch database had somehow been left unprotected and exposed on a publicly accessible server for an undetermined amount of time. Inconceivably, this priceless source of information was available to anyone who accessed the server without any type of login information. The database was not even protected by a single firewall.
Experts believe that this massive database included an estimated 230 million consumer entries and 110 million business contacts comprising nearly two terabytes of data. The cost and effort to obtain this large amount of varied information on these individuals by Exactis was considerable. Because of the importance of this database to the company’s core objectives, it is hard to understand how it could have been left so poorly protected.
Why is This Breach so Dangerous?
Independent security reviewers quickly noted the danger of the exposure of this comprehensive database. They explained grimly that the massive size of this data breach likely involved the exposure of some personal information collected on almost every adult living in the United States. Fortunately, no social security numbers or sensitive financial data were stored in these records, but a great deal of private information was included in the entries.
Even though the most sensitive private data was not exposed, each record in the database included more than 400 variables used to complete a personal profile of the user. Notably, some of the information available included what is known in security parlance as Personally Identifiable Information (PII) such as email addresses, various phone numbers, and home addresses. Cybercriminals greedily look to collect and utilize this type of personal information when they attempt to commit synthetic identity theft.
In addition, each database record contained a treasure trove of collected personal information, which was designed and organized to help Exactis’ clients target individual consumers and businesses with products and services. For example, these entries contained information about personal hobbies, religious and political affiliations, past purchasing behavior, typical vendors, marriage status, number and gender of children, emergency contacts, favorite types of entertainment, pet ownership, magazine subscriptions, vacation history, and much more. In short, the database had a stunning amount of personal information and behavioral patterns connected to a great deal of individuals and company contacts.
Leaving aside the worthwhile question of how it is possible for marketing database companies to collect so much information on consumers and companies, the exposure of this vast amount of data has made it much easier for cybercriminals to access personal data and commit identity theft.
Recommended Protective Measures for Small Businesses
This latest cybersecurity disaster is yet another wake-up call for small businesses. Looking at lessons learned from this event, we recommend that your company implement the following measures to best protect itself from this data breach and other cybersecurity dangers.
Educate and train your employees in proper internet and email protocol
As we’ve mentioned in previous blog posts, the weakest link in a company’s cybersecurity is employee error. Your company should have a strict internet and email behavior protocol in place and make sure that all employees are educated and trained properly to avoid dangerous behavior. Employees should also practice strong password control and consider implementing passphrases for improved security.
Stress to employees the increased danger of phishing because of the Exactis data breach
Even though the level of “phishing,” has decreased since last year, there is still a substantial amount of it occurring as hackers attempt to gain unauthorized access to company networks and install ransomware and other malware. With the Exactis data breach opening the floodgates of personal and company information, some cybercriminals will now have valuable data that can help them design phishing links that appeal directly to people’s interests.
As a result, your company should inform your employees to pay special attention to avoiding the enticing clickbait emails and links that will inevitably appear on their home and business devices.
Protect your web-facing infrastructure and leverage smart cybersecurity protocols and applications
Unlike Exactis, your company should take careful care to avoid storing any private or sensitive information on any web-facing infrastructure. There is nothing more valuable to your company and its core objectives than its sensitive internal and client data. Your company should also utilize perimeter and application firewalls and the latest updated anti-virus solutions. Your small business should always make the necessary investment of money and effort to ensure your cybersecurity protection is at its optimal level.
Don’t neglect remote device cybersecurity
With the ever-increasing amount of employees working remotely, your company should ensure that all remote workers are trained and educated in responsible internet and email behavior and that they follow strong cybersecurity protocols at home and in the office. The use of multi-factor authentication is particularly useful in protecting remote devices from unauthorized access.
Work Closely with an IT Expert
Most importantly, your small business should consult and work with a trusted IT Support partner, such as Network Depot, to make sure your cybersecurity is at the highest level. For example, your company and your IT partner should regularly test your entire network for security vulnerabilities but particularly focus on any web-facing infrastructure.
By taking these measures your small business can best protect itself against the negative repercussions of the Exactis data breach as well as future cybersecurity threats.