Be smart: When a "data breach" isn't a breach
Last week, a Florida company named Exacts exposed information on around 300 million records. While several stories characterized this incident as a breach, it wasn't actually a breach — at least not in the way most people use the term.
Why it matters: When most people hear about a breach, they think a bad guy has stolen data. That’s scary and can effect consumer behavior. But there was no bad guy involved in what happened at Exactis. Instead, the firm left a database online in an unsecured way, allowing anyone who knew where to find it to download it.
The details: There are several different ways data can be exposed by accident online. Companies sometimes misconfigure databases or cloud storage to be open to the public.
- Most people involved in cybersecurity don’t see this as a breach.
- The ones that do admit that the word can be misleading.
“We’ve made an effort to stop using the word breach,” said Chris Vickery, a leading investigator of data exposures working for the security firm UpGuard.
Breach of trust: Vickery argues that it is a breach, but of a non-standard sort. “It’s a breach of trust,” he said.
- Vickery alone has found data as varied as a commercial terrorism watch list, registered voter databases and contractor plans for secure government systems.
- Researchers use specialized search tactics to locate exposed data. It’s not easy work — most exposed data is intentionally left exposed.
The intrigue: Within hours of Wired breaking the story on the Exactis exposure, outlets started comparing the incident to Equifax as a potential record-breaking data breach.
- In Equifax, an actual hacker stole records.
- In Exactis, a researcher searching for exposed databases discovered the exposed database. There was no evidence anyone maliciously downloaded the files.
Be smart: It’s important to understand the difference between data exposures and data breaches, because they will keep coming up. The lexical difference doesn’t make a bad thing good. It’s still problematic to have data exposures.
“Every non-malicious breach is something hackers could have found,” said Vickery.