If the reports are accurate, a Florida-based marketing and data company exposed sensitive personal data belonging to 340 million records. The gravity of the situation is yet to be confirmed or even discussed by Exactis, but the leak is estimated to include 230 million consumers and 110 million businesses.
If confirmed, this breach involves basically everyone in the United States.
Compromised information includes phone numbers, addresses and personal characteristics such as interests and habits.
There are so many deeply concerning aspects to the Exactis breach it is hard to know where to start. There is the sheer size first of all. Then there is the nature of the data exposed in the breach: While there were no Social Security numbers and no payment card information, there are names, telephone numbers, addresses, E-mail addresses and over 400 other personal characteristics ranging from health-related data (smoker, yogi, runner) to lifestyle (dog or cat person) to their religious affiliation.
Why This Matters
The compromise includes an embarrassment of riches information-wise for scam artists and other criminals interested in committing fraud.
Another reason this should matter: Chances are very good you’ve never heard of Exactis, yet they possess a treasure trove information about you–. As such, the company and its cybersecurity fail provide a valuable object lesson on the perils of surveillance marketing techniques.
More to the point, the Exactis breach points out the glaring contrast between US privacy standards and the newly re-established European privacy protocols established by the GDPR. In the United States mode, there is a general and pervasive lack of accountability and transparency in the consumer data market.
The most alarming aspect of the alleged Exactis breach is that most Americans have never had a direct relationship with the company.
So how is it that Exactis knows something about nearly every US consumer? The reason is simple: the U.S. information economy demands very little in the way of accountability when it comes to the trafficking of personal information.
There is a general lack of restrictions regarding the way businesses share personal information with third parties and a super-abundance of consumer privacy apathy. But more than anything it is the dearth of broad-based regulatory restrictions aimed at curbing data brokering and collection—or at least making it more cybersecure.
We can only hope that this incident will shine a klieg light on the problem, and in the meantime start working towards better cyber hygiene, both when it comes to our personal information and the way data is treated at the organizational level.