Stories

Be smart: When a "data breach" isn't a breach

Photo Illustration: Thomas Trutschel/Photothek via Getty Images

Last week, a Florida company named Exacts exposed information on around 300 million records. While several stories characterized this incident as a breach, it wasn't actually a breach — at least not in the way most people use the term.

Why it matters: When most people hear about a breach, they think a bad guy has stolen data. That’s scary and can effect consumer behavior. But there was no bad guy involved in what happened at Exactis. Instead, the firm left a database online in an unsecured way, allowing anyone who knew where to find it to download it.

The details: There are several different ways data can be exposed by accident online. Companies sometimes misconfigure databases or cloud storage to be open to the public.

  • Most people involved in cybersecurity don’t see this as a breach.
  • The ones that do admit that the word can be misleading.

“We’ve made an effort to stop using the word breach,” said Chris Vickery, a leading investigator of data exposures working for the security firm UpGuard.

Breach of trust: Vickery argues that it is a breach, but of a non-standard sort. “It’s a breach of trust,” he said.

  • Vickery alone has found data as varied as a commercial terrorism watch list, registered voter databases and contractor plans for secure government systems.
  • Researchers use specialized search tactics to locate exposed data. It’s not easy work — most exposed data is intentionally left exposed.

The intrigue: Within hours of Wired breaking the story on the Exactis exposure, outlets started comparing the incident to Equifax as a potential record-breaking data breach.

  • In Equifax, an actual hacker stole records.
  • In Exactis, a researcher searching for exposed databases discovered the exposed database. There was no evidence anyone maliciously downloaded the files.

Be smart: It’s important to understand the difference between data exposures and data breaches, because they will keep coming up. The lexical difference doesn’t make a bad thing good. It’s still problematic to have data exposures.

“Every non-malicious breach is something hackers could have found,” said Vickery.