Exactis is an obscure data aggregation company based in Palm Coast’s Katz building on Florida Park Drive. It has records on just about every American, individual or business–a total of some 340 million records. On Wednesday, Wired reported that the records had been exposed to potential theft, and were in fact accessed by a security expert who discovered the vulnerability–and contacted Exactis’s CEO in Palm Coast.
In a long interview with FlaglerLive today, Steve Hardigree, Exactis’s CEO and a resident of the Hammock for the past 10 years, said there had been no “leak” or “breach,” in the sense that no data had been stolen. “According to log reports there was no breach,” Hardigree said. “We’ve been working diligently not only with the folks who discovered the leak, but we’ve been working with the Attorney general’s office,” among others.
“We’re considered enemy number one by the cyber community,” he said. “I don’t think it’s going to amount to anything because there’s not been any damage done to anyone.”
Exactis is working with Vinny Troia, the cyber security consultant who discovered the breach while conducting a search that led to exposed IP addresses through which he was able to access Exactis’s mass of data–what Hardigree described as a “port” that in essence had been unknowingly left open on the company’s cloud-based servers, which are provided by UrNode and hosted by GoDaddy. A firewall was immediately restored. Troia, according to Hardigree, will provide an independent review that will result in an eventual press release on the company’s website informing the public that there’s no risk of data being released.
Nevertheless what Hardigree described as the “firestorm” that followed Wired’s report resulted in a torrent of calls to him, requests from individuals and businesses to be removed from the database or, in the case of two or three partners, to have their logos removed from Exactus’s website. Hardigree got at least one death threat–a man who told him he’d shoot him on sight if he saw him–and is worried for the safety of his wife and children, one of whom graduated from Matanzas High School, with another set to graduate from Flagler Palm Coast High next year.
And the fallout from the crisis, which has been reported across the nation, may spell the end of Hardigree’s business, which he says was generating $350,000 a year in sales. “Unfortunately the damage is done to my company,” Hardigree said. “I’m not sure if there’s a way for us to come back. I was getting ready to start hiring here in Palm Coast. I’m not sure we’re going to have the resources because I’m starting to lose clients.”
Also, he faces a lawsuit filed in federal District Court in Florida by the Chicago-based DiCello Levitt and Case law firm, on behalf of a complainant in Pinellas County. “The data compromised by Exactis’ breach is even more severe than financial information, such as credit card or bank account numbers,” Adam Levitt, one of the lawyers in the case, is quoted as saying in media reports. (Levitt did not respond to a call and an email.) “Exactis’ database included email and postal addresses, whether a person had a pet, whether the person is a smoker and a number of other personal interests. This type of information is frequently used by hackers to steal identities and break into your accounts.”
Hardigree said he’s had conversations with Levitt and is hoping the lawsuit won’t go forward. “There’s really nothing here. In a class action there’s got to be damages,” Hardigree said. He claims there were no damages, and insisted repeatedly that what information was aggregated did not involve personally-identifying data such as social security numbers or driver’s license numbers, but publicly available records including emails, addresses, phone numbers, Facebook and other social media profiles.
The line has been blurring however between strictly personally identifying information and aggregated information that, however public, can amount to equally identifying data, especially when overlaid with other information that includes age, family status, gender, geography–all publicly available but no less personally identifying.
That, in effect, is one of the services Exactis provides, particularly, for example, through a portal called Autoappend. There, a user can input his or her own customer data and generate a whole set of overlay data based on what Exactis can provide. Exactis explains it this way: “Append consumer contact data, such as email address, phone number and postal address, household financial data and demographic insights as well as business email addresses to your customer or prospect lists with match rates as high as 85%.”
According to Wired, Troia found data on almost every random person he searched. Wired’s Andy Greenberg wrote of the breach lucidly, in laymen’s terms: “While it’s far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he’d been curious about the security of ElasticSearch, a popular type of database that’s designed to be easily queried over the internet using just the command line. So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall.” (Marketwatch has a good explanation of what Exactis does and what consumers can do in response to data breaches.)
Exactis’s Palm Coast office is at the end of a non-descript corridor on the third floor of the Katz building on Florida Park Drive, also known as the SunTrust building–past offices for WholisticKneads Massage Therapy, Preferred Shipping, Flagler County NAACP and New Construction Concepts. No one answered the door. Hardigree said he hadn’t been to the office because of the threats. He described it as “three small desks in there and my laptop.” He has three partners in three different states, all working from home offices. The Palm Coast operation alone has a separate office.
As of Friday afternoon, Hardigree said he was still analyzing the fallout from the controversy but would soon provide additional details on the breach, posting the company’s findings on its website–which was the subject of a brute-force attack on Thursday.