Here’s What It’s Like to Accidentally Expose the Data of 230M People

Credit to Author: Andy Greenberg| Date: Mon, 18 Mar 2019 11:00:00 +0000

Steve Hardigree hadn't even gotten to the office yet and his day was already a waking nightmare.

As he Googled his company's name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he'd founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company's headquarters in Palm Coast, Florida, had warned him that TV news reporters were already camped outside the building with cameras. Ambulance-chasing security firms were scrambling to pitch him solutions. Law firms had rushed to assemble a class action lawsuit against his company. All because of one unsecured server. "As you can imagine," Hardigree says, "I went into panic mode."

The day before that scrum, WIRED had revealed that Exactis exposed a database of 340 million records on the open internet, as first spotted by an independent security researcher named Vinny Troia. Using the scanning tool Shodan, Troia identified a misconfigured Amazon ElasticSearch server that contained the database, and then downloaded it. There he found 230 million personal records and another 110 million related to businesses—more than two terabytes of information in total. Those files didn't include credit card information, passwords, or Social Security numbers. But each one enumerated hundreds of details on individuals, ranging from the value of people's mortgages to the age of their children, as well as other personal information like email addresses, home addresses, and phone numbers.

Exactis licensed that information to marketing and sales customers, so that they could integrate it with their existing databases to build more comprehensive profiles. But privacy advocates have warned that those same details, left open to the public, could just as easily allow spammers or scammers to profile targets.

"You used to need supercomputers to do this. Now you can do it from a PC."

Steve Hardigree, Exactis

The sort of accidental mass data exposure Exactis experienced is hardly unique, given the string of similar or worse private info spills that have happened even in the months since. Much rarer, however, is Exactis founder Steve Hardigree's willingness to talk to WIRED about that experience: Being the company at the center of a nationwide data privacy fracas, as well dealing with the legal, bureaucratic, and reputational fallout.

The result is a cautionary tale about the liability that a massive dataset can create for a tiny company like Exactis. It also hints at just how easy it's become for small firms to wield massive, leak-prone databases of personal information—without necessarily having the resources or know-how to secure them.

But first, Hardigree wants to make a point: The Exactis data exposure was no "breach," he says. He takes issue even with calling it a "leak." Hardigree insists that while the data was left exposed online in early June of last year—only for a matter of days, Hardigree says, though Troia claims it was more like months—the company's logs and an external security audit seemed to show that no outsiders actually accessed it other than Troia. The data was secured in response to Troia's warning prior to WIRED's story. "We don't believe it ever leaked," Hardigree says.

Troia counters that he took a screenshot last July of a listing on a dark web forum called KickAss that appeared to be selling at least part of the Exactis data. (See below.) But Hardigree says that Exactis included false "seed" personas in the database, designed to serve as a test to see if it had leaked, a standard marketing industry technique. Hardigree says he's continued to monitor those seeds personally, and none have received any emails that would indicate a leak—spam, phishing or otherwise. He also says he's been in contact with the FBI, and claims the agency has been scanning the dark web for the Exactis data and found none. (The FBI declined WIRED's request to comment on or confirm this.)

Whether criminals took the data or not, the exposure effectively ended Exactis. Though the company hasn't declared bankruptcy, Hardigree says he's given up on making money from it, and plans to focus his efforts on another startup. After the flood of news coverage following WIRED's story, the company's customers largely abandoned it. Partners with whom Exactis had traded data, or whom it used to verify data, asked to be taken off the Exactis website. Equifax went so far as to send a cease-and-desist letter to compel Exactis to stop using its name on its website, Hardigree says, a cruel irony given Equifax's own massive privacy scandal. Eventually, the three most senior executives who held stakes in Exactis other than Hardigree walked away, too. "I've lost the business," Hardigree says.

In the meantime, Hardigree says that he and his company have been hit with thousands of angry emails and phone calls, including multiple death threats. Hardigree even claims Exactis was a targeted at one point with a flood of junk traffic that took down its website.

"I'm terrified, and my wife and kids are terrified," Hardigree said in a phone call with WIRED in the midst of that backlash's first days last July. "It's been a bit devastating." After the scandal broke, Hardigree went on a working vacation to North Carolina, but says his stress over the situation was so severe that he broke out in hives and had to go to the hospital for treatment. In a final indignity, Hardigree received a text alert from LifeLock, an identity theft prevention service to which he subscribed. It was warning him about the threat to his privacy from his own company's data exposure.

"I was mentally wrecked," he says.

In the months since then, Hardigree says he's dealt with inquiries from more than a dozen state attorneys general who were concerned about the potential for abuse of Exactis' data, as well as the FBI, though he notes that all have since stopped questioning him. The class action lawsuit against Exactis, led by the Florida law firm Morgan & Morgan, hasn't been dropped, but hasn't progressed to trial. Hardigree believes it has stalled, given that his company simply has no money to pay damages, even if any damage could be shown. Morgan & Morgan did not respond to an inquiry from WIRED.

Hardigree has been left to deal with this lingering legal and bureaucratic mess largely alone. Among those who have departed the company were his three partners, two of whom handled the company's technology and the security of its data, and whom Hardigree blames for exposing the company's ElasticSearch database online in the first place. Neither of those ex-partners responded to WIRED's request for comment.

The ordeal has been a grueling lesson for Hardigree, who says that he's learned the hard way how much even a tiny firm like his has to prioritize security. "Be careful with your data, and be careful with the people who manage your data," Hardigree says. "I hired some guys that were careless. But at the end of the day it’s the CEO who’s responsible. I take responsibility."

On some points, however, Hardigree remains defiant. He calls Troia, the researcher who found his exposed data, "not a good guy," and accuses him of tanking Exactis in order to raise his own profile. He points out that Troia contacted WIRED before he contacted Exactis about its data exposure, and sent the company a marketing brochure after his initial email, which Hardigree and his staff saw as a kind of shakedown. He also alleges that Troia may have broken the law by downloading the exposed data—a fairly common practice among security researchers—and again by giving a copy of it to the breach notification service HaveIBeenPwned.com.

"I could sue him in civil court or press criminal charges but I don’t think it solves anything," Hardigree says. Troia admits that he does feel bad for playing a role in killing Exactis. But he doesn't regret his actions. "If I hadn’t found it, somebody else would have down the line," he says. "At the end of the day, the door was wide open, and he was leaking data on all these people."

Hardigree also still maintains that the data Exactis aggregated and then exposed wasn't actually sensitive, and that the outrage over its exposure was overblown. He says much of it was pulled from sources like public records and census data. Exactis combined that public information with data it traded for and bought, with sources ranging from payday loan and auto companies to surveys to registration forms for business publications. Hardigree claims that hundreds of small companies possess similar data. He argues that anyone can buy a less refined version of the same collection, what's known as a Consumer Master File, for around $1,000. "This data is out there, and it always has been out there," Hardigree says.

But Troy Hunt, the security researcher and data breach expert who manages HaveIBeenPwned, says that the Exactis data was indeed sensitive enough to justify the wave of pain that hit the company after its security lapse. He argues the data is, in fact, sufficiently detailed to contribute to identity theft, and certainly detailed enough to creep out anyone who finds themselves in it.

"I'm playing a very small violin right now," Hunt says of Exactis' post-exposure troubles. "They’re saying ‘look, we went and scraped up a bunch of people’s data without their expectation it would be used in this way, and certainly without any informed consent. Then we failed to secure it properly. Now we’re upset something bad happened to us as a result.' They're not going to get much sympathy from anyone for that."

But Hunt does agree with at least one of Hardigree's points: A growing mass of startups that does seem to possess and analyze outsized amounts of consumer data that wouldn't have previously been possible for small firms. He points to both Apollo.io and Verifications.io as examples of obscure firms who have recently exposed massive troves of consumer data. Verifications.io, for instance, seems to have been so fly-by-night that it responded to its data leak by taking down its website, and hasn't restored it since.

You can thank cloud services and computing advances for that mismatch between the size of a company and the amount of data it can hold, says Hardigree. "You used to need supercomputers to do this. Now you can do it from a PC," he says.

The Privacy Rights Clearinghouse, which tracks US data breaches, says it didn't possess data about the size of the companies that spilled 1.37 billion records total in just the last year. But the group's policy counsel Emory Roane says that given technological advances and a lack of accompanying regulations, an uptick in big breaches from small firms seems like a natural outcome. "I'm not at all surprised that there are companies like Verifications.io and Exactis all over the country that have bought or are able to collect extreme-hoarding levels of data," Roane says. "It's possible because of the technology, but also because we don’t have strong protections."

While Hardigree at some points defended and downplayed his company's privacy mishap, at other points in conversation he seemed to acknowledge the example his company has served as a small firm that's paid the price for a massive data exposure—not a unique one, perhaps, but one among a growing class of small data aggregators that was unlucky enough to have been caught with its firewall down.

"I didn't want to be the poster boy for this," Hardigree told WIRED in one of his more resigned moments. "But it has changed the way I feel about privacy. All of us need to be responsible for protecting this information. If you can’t protect the data, you shouldn’t be in this space."

https://www.wired.com/category/security/feed/