YOU’VE PROBABLY NEVER heard of the Massive leaks of user databases that are accidentally left accessible on the public internet have nearly reached epidemic status, affecting everything from health information to password caches stored by software firms. One particularly prolific researcher, security firm UpGuard’s Chris Vickery, has discovered those database leaks again and again, from 93 million Mexican citizens’ voter registration records to a list of 2.2 million “high-risk” people suspected of crime or terrorism, known as the World Check Risk Screening database.
But if the Exactis leak does in fact include 230 million people’s information, that would make it one of the largest in years, bigger even than 2017’s Equifax breach of 145.5 million people’s data, though smaller than the Yahoo hack that affected 3 billion accounts, revealed last October. (It’s worth emphasizing in the case of the Exactis leak, unlike in those earlier data breaches, the data wasn’t necessarily stolen by malicious hackers, only publicly exposed on the internet.) But like the Equifax breach, the vast majority of people included in the Exactis leak likely have no idea they’re in the database.
EPIC’s Marc Rotenberg argues that the timing of the breach, just after the implementation of Europe’s General Data Protection Regulation, highlights the persistent lack of regulation around privacy and data collection in the US. A GDPR-like law in the US, he notes, might not have prevented Exactis from collecting the data it later leaked, but it might have required the company to at least disclose to individuals what sort of data it collects about them and allow them to limit how that data is stored or used.
“If you have a profile on someone, that person should be able to see their profile and limit its use,” Rotenberg says. “It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life.”