Monday 10th December 2018

Legal firms file lawsuit over data breach that allegedly compromised personal data of 230 million US citizens

The lawsuit defines the breach as 'one of the biggest and most damaging breach cases, exceeding Equifax and other massive data breaches.'
Jason Smith
by on 30th June 2018

Three legal firms have filed a class action lawsuit against Exactis, a marketing firm based in the US, over a data breach that allegedly compromised the personal data of 230 million US citizens and 110 million US businesses.

The data was stored in an Exactis database that was discovered on the servers of enterprise-grade search engine Elastic Search by security expert Vinny Troia of Night Lion Security.

The database contained 2 terabytes worth of data however it is unclear whether any malicious actors managed to access it while it was publicly available.

The lawsuit has been filed at the United States District Court for the Middle District of Florida and by legal firms Morgan & Morgan, DiCello Levitt & Casey and Robbins Gellar Rudman & Dowd.

It refers to the data breach as “one of the biggest and most damaging breach cases, exceeding Equifax and other massive data breaches – in both scale and information disseminated.”

It also alleges “Exactis failed to employ even the most basic forms of security, and left this highly sensitive information of some 230 million consumers and 110 million businesses on a public server—bare, unprotected, and available to anyone to download.

“Even worse, Exactis did not employ any form of encryption to protect this data.”

It further claims US citizens “have suffered real and imminent harm as a direct consequence of defendant’s conduct” and seeks monetary damages as well as injunctive and declaratory relief.

According to a report in WIRED, the database comprised names, email addresses and home addresses of individuals. It also stored data about individuals’ characteristics and interests e.g. whether an individual smoked, the gender of his or her children and other highly specific information.

While the database would represent a significant haul of information for any malicious actor who happened to access it, reports suggest it didn’t contain payment details of the individuals and businesses compromised.