When Data Pours: Exactis Database Leaks 340 Million PI; Fastbooking, Ticketmaster UK Breached
A researcher reported that data marketing and aggregation research firm Exactis had an open database that leaked approximately 340 million personal information records via a publicly accessible server. The leaked data, which amounts to close to 2 terabytes, included demographic material on millions of American adults and businesses such as phone numbers, email and home addresses, as well as preferences that marketing firms use for targeting customers. Meanwhile, entertainment ticket marketplace Ticketmaster UK and hotel-reservations platform Fastbooking also reported data breaches wherein attackers may have stolen respective customers’ personally identifiable information (PII) and credit card data.
[Read: Year in Review: 2017's Most Notable Data Breaches]
Researcher Vinnie Troia regarded the Exactis database as “one of the most comprehensive collections” seen, with two thirds of the total number specific to individuals and the rest to identifiable businesses. The database was unprotected by any firewall, and found after searching for ElasticSearch servers among 7,000 other exposed collections. The data was confirmed authentic and may have been gathered from Web searches, magazine subscriptions, and credit reports, among other routinely collated nonpublic information from data brokers. This leak surpasses the 2017 Equifax data breach, where attackers stole 2.4 million PII, but is equally concerning as the pieces of data put together — such as political interests, habits, children’s gender and religion — can be used to detail a targeted individual for advertisers and phishing scams alike. The company closed the database from public access after the notification, but did not disclose if any unauthorized activity has occurred.
[Read: Equifax Breach – an example of good communications]
Fastbooking has notified the affected hotels of the breach after they discovered that an attacker abused an app vulnerability to install malware on their server. The intruder did not affect victim properties the same way; the attacker stole guest details such as PII and payment information from certain hotels. The company has also sent notification templates that the hotels can use to notify their individual guests and their respective national data protection agencies.
[Read: Are you GDPR compliant?]
As more countries implement stricter rules to protect their citizens’ information, businesses also have a responsibility to protect their assets. Here are some best data protection practices for organizations and individuals:
- Regularly patch and update your systems from legitimate vendors.
- Identify the weak spots in your organization’s security infrastructure and implement intrusion-preventive measures accordingly.
- Educate all company employees and partners of security policies, communication procedures, and contingency plans on how to identify incidents of attacks and trends in social engineering, and what to do when it happens.
- Practice network segmentation and data categorization.
- Establish a multi-layered security solution for intrusion detection and prevention.
- Create strong passwords for all online accounts and change them frequently.
- Monitor your accounts for unauthorized access and purchases made, and report any irregularities to your bank or related authorities immediately.
- Be aware of social engineering techniques used to steal online account credentials.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases