A researcher reported that data marketing and aggregation research firm Exactis had an open database that leaked approximately 340 million personal information records via a publicly accessible server. The leaked data, which amounts to close to 2 terabytes, included demographic material on millions of American adults and businesses such as phone numbers, email and home addresses, as well as preferences that marketing firms use for targeting customers. Meanwhile, entertainment ticket marketplace Ticketmaster UK and hotel-reservations platform Fastbooking also reported data breaches wherein attackers may have stolen respective customers’ personally identifiable information (PII) and credit card data.
Researcher Vinnie Troia regarded the Exactis database as “one of the most comprehensive collections” seen, with two thirds of the total number specific to individuals and the rest to identifiable businesses. The database was unprotected by any firewall, and found after searching for ElasticSearch servers among 7,000 other exposed collections. The data was confirmed authentic and may have been gathered from Web searches, magazine subscriptions, and credit reports, among other routinely collated nonpublic information from data brokers. This leak surpasses the 2017 Equifax data breach, where attackers stole 2.4 million PII, but is equally concerning as the pieces of data put together — such as political interests, habits, children’s gender and religion — can be used to detail a targeted individual for advertisers and phishing scams alike. The company closed the database from public access after the notification, but did not disclose if any unauthorized activity has occurred.
Fastbooking has notified the affected hotels of the breach after they discovered that an attacker abused an app vulnerability to install malware on their server. The intruder did not affect victim properties the same way; the attacker stole guest details such as PII and payment information from certain hotels. The company has also sent notification templates that the hotels can use to notify their individual guests and their respective national data protection agencies.
As more countries implement stricter rules to protect their citizens’ information, businesses also have a responsibility to protect their assets. Here are some best data protection practices for organizations and individuals:
Regularly patch and update your systems from legitimate vendors.
Identify the weak spots in your organization’s security infrastructure and implement intrusion-preventive measures accordingly.
Educate all company employees and partners of security policies, communication procedures, and contingency plans on how to identify incidents of attacks and trends in social engineering, and what to do when it happens.