Category Is: Another Data Aggregator Breach

Next: Privacy and the Dark Web - Our Announcement...
Previous: Catastrophic Risk, Compliance, and Data Security: Recapping Dynamic...
Writer Emily W.
March 29, 2019

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

Security researchers recently discovered an unsecured database containing hundreds of millions of personal information records. In addition to the personal information — which was stored in plain text — the database also contained corporate data, including information on businesses and their employees. The data came from a data aggregator that hadn’t taken the appropriate steps to protect the information it was supposed to be holding securely.

Does any of this sound familiar? It should.

While this database — in this case, from marketing firm Verificiations.io — is the most recent security incident of its kind, it’s hardly the first. In the last nine months alone, four other data aggregators have made headlines for exposed servers or security incidents, often numbering in the hundreds of millions of records. These incidents are a stark example of the future of data compromise: a huge volume of records, a wide variety of data types and, far too often, limited security from firms that should know better.

These firms operate by collecting as many data points as they can on their targets, often consumers, who face ongoing challenges to lock down their own personal data in an increasingly hostile world in which big tech companies reap huge rewards for collecting data without the requisite responsibilities for privacy and security that should come alongside. The tech companies draw in users, incentivizing them to share and connect across multiple platforms. Meanwhile, these same tech giants build massive stores of interwoven data points. These large scale data collection platforms drive high expectations from companies looking to market their products, which only further incentivizes outside lead-gen and marketing firms to aggregate as much data as they can in order to stay competitive.

The result? Troves of information and obvious targets for compromise.

When security researchers discovered an unsecured database at marketing firm Exactis last summer, they found more than 340 million consumer and corporate records left open to the public. The records contained contact details and personal information, but also more detailed information about preferences and households: habits, interests, and the age and gender of the targets’ children.

If that wasn’t concerning enough, consider this: At 809 million records exposed, the Verifications database is more than double the size of Exactis’s database, and it isn’t even the largest exposure of its kind. Late last year, sales data aggregator Apollo sent notices to its customers about a breach. Not just an unsecured database, not a weakly-guarded server, but an actual breach. The Apollo database gathered information on hundreds of millions of organizations, representing more than nine billion data points criminals could exploit across the target companies.

The size of data breaches is only increasing to the point that data exposure at another lead-gen firm in recent months barely registered in the news because it only exposed 44.3 million individuals. Security researchers discovered an unsecured database from aptly-named aggregator Data & Leads containing the 44.3 million personal information records alongside a second unsecured database containing information on more than 25 million companies.

Each of these firms are explicitly in the business of gathering, storing, and selling sensitive data. They openly market themselves as sources of high-quality leads and information — everything from a CEO’s email address to recommendations on the right subset of consumers for marketing a new product. These same companies seem largely unconcerned about proactive data security measures, which has an unavoidable impact on the security of the individuals and organizations caught up in their exposure. After all, the people and companies exposed in these databases are the ones who ultimately face the fallout from data compromise, not the organization failing to secure its information.

These incidents are a sober reminder that companies can do everything in their power to secure their data, train their employees, and safe-guard their customers—and still end up exposed. Data does not stay siloed in an organization and companies cannot trust that their vendors, or unconnected third-party firms like these aggregators, will make take the necessary steps to protect and secure corporate data. These will not be the last third-party exposures on this scale, and businesses must plan accordingly.

RELATED ARTICLES
announcements March 25, 2019
Privacy and the Dark Web - Our Announcement

In conjunction with the KNOW conference on digital identity, we’re excited to announce that we are partnering with the Omidyar Network to help and promote this conversation around “good ID.”

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...