STEVE HARDIGREE HADN’T even gotten to the office yet and his day was already a waking nightmare.
As he Googled his company’s name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he’d founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company’s headquarters in Palm Coast, Florida, had warned him that TV news reporters were already camped outside the building with cameras. Ambulance-chasing security firms were scrambling to pitch him solutions. Law firms had rushed to assemble a class action lawsuit against his company. All because of one unsecured server. “As you can imagine,” Hardigree says, “I went into panic mode.”
The day before that scrum, WIRED had revealed that Exactis exposed a database of 340 million records on the open internet, as first spotted by an independent security researcher named Vinny Troia. Using the scanning tool Shodan, Troia identified a misconfigured Amazon ElasticSearch server that contained the database, and then downloaded it. There he found 230 million personal records and another 110 million related to businesses—more than two terabytes of information in total. Those files didn’t include credit card information, passwords, or Social Security numbers. But each one enumerated hundreds of details on individuals, ranging from the value of people’s mortgages to the age of their children, as well as other personal information like email addresses, home addresses, and phone numbers.
Exactis licensed that information to marketing and sales customers, so that they could integrate it with their existing databases to build more comprehensive profiles. But privacy advocates have warned that those same details, left open to the public, could just as easily allow spammers or scammers to profile targets.
The sort of accidental mass data exposure Exactis experienced is hardly unique, given the string of similar or worseprivate info spills that have happened even in the months since. Much rarer, however, is Exactis founder Steve Hardigree’s willingness to talk to WIRED about that experience: being the company at the center of a nationwide data privacy fracas, as well dealing with the legal, bureaucratic, and reputational fallout.
The result is a cautionary tale about the liability that a massive dataset can create for a tiny company like Exactis. It also hints at just how easy it’s become for small firms to wield massive, leak-prone databases of personal information—without necessarily having the resources or know-how to secure them.
But first, Hardigree wants to make a point: The Exactis data exposure was no “breach,” he says. He takes issue even with calling it a “leak.” Hardigree insists that while the data was left exposed online in early June of last year—only for a matter of days, Hardigree says, though Troia claims it was more like months—the company’s logs and an external security audit seemed to show that no outsiders actually accessed it other than Troia. The data was secured in response to Troia’s warning prior to WIRED’s story. “We don’t believe it ever leaked,” Hardigree says.
Troia counters that he took a screenshot last July of a listing on a dark web forum called KickAss that appeared to be selling at least part of the Exactis data. (See below.) But Hardigree says that Exactis included false “seed” personas in the database, designed to serve as a test to see if it had leaked, a standard marketing industry technique. Hardigree says he’s continued to monitor those seeds personally, and none have received any emails that would indicate a leak—spam, phishing, or otherwise. He also says he’s been in contact with the FBI and claims the agency has been scanning the dark web for the Exactis data and found none. (The FBI declined WIRED’s request to comment on or confirm this.)