
Marketing Firm Exactis Leaked a Personal Info Database with 340M Records - georgecmu
https://www.wired.com/story/exactis-database-leak-340-million-records/
======
mysterypie
Oh, man, another missed opportunity to make the average Joe Six-Pack become
aware of data aggregation and privacy violations. If the researcher had
downloaded the 2TB of data and published it as a torrent, then laymen might
care. When someone can query the list and see his own personal information
being broadcast, they will understand. When they realize that anyone can look
up the address, phone, and all sorts of other info about their wife, husband,
girlfriend, boyfriend, boss, children, or neighbor, they might get an inkling
that privacy isn't such a stupid thing to worry about.

I realize that we _all_ suffer if it gets made into a torrent, but sometimes
pain is necessary to get action.

Within a week, this whole thing will be forgotten and nothing will have
changed because privacy is too abstract for most people -- they need to _see_
the personal information that's being collected. The researcher acted
properly, but going full Snowden would have had much greater impact on getting
better privacy-preserving laws and technology.

~~~
RyanZAG
"Missed opportunity" ?

People can be stabbed in the back if they go into dark alleys without watching
behind them. Let's stab a few people who go into these alleys so that everyone
will be afraid to do so and we have an opportunity to prevent people being
stabbed in future by making them aware.

Why would you possibly think this is a good idea? The idea is to prevent pain,
not cause more pain in some bizarre attempt at making people afraid. There's
enough privacy violations - we don't need to be making more of them ourselves.

~~~
jonahx
Your analogy misrepresents the grandfather's point. A closer analogy for his
argument might be:

\- Some high number X of dark alley stabbings occur each year.

\- But alleys still "feel" safe to people, because the stabbings aren't well-
publicized. So people don't know to avoid them and the rate X remains the
same.

\- Let's publicize alley stabbings in an emotionally impactful way, so people
know to avoid alleys and we can bring X down.

In the actual case at hand, the argument is that you break a few eggs so
people understand the issue viscerally, and hope to achieve massive regulatory
change because people now actually care. I don't know if it would work, but
it's a more reasonable idea than you're making it out to be.

Solving the root problem here is orders of magnitude more important than any
single data breach today is.

~~~
smsm42
> Let's publicize alley stabbings in an emotionally impactful way

The top post doesn't promote publicizing data breaches that already happened.
It is promoting obtaining and publishing the data which weren't published
before. It is completely different things. Like making a TV series about alley
stabbings - and stabbing actual people in the alley to get better scenes for
this video. The former is great, the latter is a heinous crime which can ruin
the whole cause.

~~~
botverse
It says that the tech savvy bad actors may already have it

~~~
smsm42
Doesn't matter. It's like justifying mugging by saying "well, criminals might
have mugged you anyway, if not me then somebody else". If somebody _might_
have committed the crime, does not justify committing it again.

------
AndyMcConachie
It's interesting that we consider this a leak only when the marketing firm
loses the data. If we lived in a just society we would consider it a leak once
the marketing firm _got_ the data.

~~~
mtgx
I've been a proponent of this idea:

Make companies "super-liable" for any data beyond the data they (actually)
need for the functioning of the service that is stolen in a data breach from
their servers.

This would hopefully not just encourage more companies to believe that data is
"toxic" [1] and treat it as a _liability_ , not as an asset, but it would also
encourage them to adopt end-to-end encryption in as many types of services as
possible (and eventually stuff like homomorphic encryption or any form of
encryption that doesn't give the company itself and hackers direct access to
the data).

[1] -
[https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html)

~~~
18pfsmt
The data in this case is their _only_ asset. They are a data broker, and their
entire existence is predicated on the idea that this data is valuable to them.

I think we need to teach people that _their data_ is valuable, likely
dangerous in the hands of others, and not to spew it all over the web. Kinda
like we did before FB convinced everybody to use their real names.

~~~
grasshopperpurp
>The data in this case is their only asset. They are a data broker, and their
entire existence is predicated on the idea that this data is valuable to them.

Other than them, who cares? If you want to put people in harm's way, you
should accept the consequences when harm occurs.

>I think we need to teach people that their data is valuable, likely dangerous
in the hands of others, and not to spew it all over the web. Kinda like we did
before FB convinced everybody to use their real names.

No, it's much easier to hold the companies accountable, and they _should_ be
held accountable. No company that suffers a "data breach" should have the
resources to exist after the breach. Society should punish them out of
existence, because they are known cancers.

------
hhh
With reasonable verification, anyone confirmed to be a part of this breach
should be given access to the data, if only for good will. It's a sad state to
see that the recklessness (or incompetence) of one entity, and at that a
private one, can quickly become a domino in a chain that ends in toppling a
person's privacy.

They advertise themselves as having the most accurate data (why wouldn't they
advertise themselves this way?) If so, the people it affects have a right to
know, and it seems that they have the means to contact them and let them know.

~~~
tjoff
With GDPR that would be your legal right.

~~~
levosmetalo
... if you are European resident.

~~~
Normal_gaussian
Correction: if you are physically present in the EU

~~~
dvlsg
Is physical presence the only requirement to be considered a resident? I
thought you had to be a resident in the EU.

~~~
Normal_gaussian
It's not considering you a resident. The GDPR reads much closer to a
declaration of a human right. For example:

Recital 14 - "The processing of personal data is designed to serve man; the
principles and rules on the protection of individuals with regard to the
processing of their personal data should, whatever the nationality or
residence of natural persons, respect their fundamental rights and freedoms,
notably their right to the protection of personal data"

Article 3 (2) - "This Regulation applies to the processing of personal data of
data subjects who are in the Union"

This hasn't been tested, and each member state could prosecute differently,
but it was certainly discussed and then structured in such a way to be a
fundamental truth, and in my non-legal opinion (based mainly just on having
read the majority of it) it would be interpreted as such by EU courts (ie, not
member state courts)

------
mikehollinger
From their privacy policy:

“In order to be in line with Fair Information Practices we will take the
following responsive action, should a data breach occur: We will notify you
via email • Within 7 business days We will notify the users via in-site
notification • Within 7 business days We also agree to the Individual Redress
Principle which requires that individuals have the right to legally pursue
enforceable rights against data collectors and processors who fail to adhere
to the law. This principle requires not only that individuals have enforceable
rights against data users, but also that individuals have recourse to courts
or government agencies to investigate and/or prosecute non-compliance by data
processors.”

------
reilly3000
Information inequity. Whomever has access to this data had an advantage on
340M people, and opportunity to understand and influence them.

I think the antithesis of would be information redistribution. Everybody
should be entitled to access all of this information if anyone has it. Just
for fun lets say the only caveat is that all information access is also public
and linked to each identity.

Do you think its better off in the hands of the highest bidders???

~~~
stef25
Companies are in some cases (in many cases actually) perfectly allowed to
collect user information and from a business perspective would be stupid not
to do.

Every time you use a loyalty card that information is collected and yes it's
used to understand you and perhaps even influence you, to buy certain
products. Buying diapers? Have a look at these baby toys. Most people will
throw their personal information out there for a price reduction.

The problem here is the leak, not the fact that it exists.

~~~
mulmen
When did I buy diapers from Exactis? I’ve never even heard of them.

I know exactly what my Safeway card is used for. I also deliberately do not
register my phone number or other information to it. Of course they can
probably associate it with my credit card but these things are easy to reason
about.

The real problem is combining all these datasets in one place for the purpose
of perpetuating information asymmetry as a product.

So actually yes, the problem _is_ that this dataset of every single American
exists.

~~~
ur-whale
You seem to believe you can ward off information collection efforts by
controlling yourself what you do and do not communicate to the rest of the
world.

While I sincerely admire the quixotic effort, I suspect you are fighting a
losing battle.

There are countless situations in daily life where you have no choice but to
leak some tiny bit of information about yourself to an external database, and
from there on, it's just a matter of cobbling the bits back together.

~~~
pilsetnieks
> and from there on, it's just a matter of cobbling the bits back together

Maybe it shouldn't be. The bit of info I gave about myself I gave (even if
implicitly) to a specific entity for a specific purpose. To sell or give that
bit to another unrelated, unknown to me entity for an entirely different
purpose is a violation.

~~~
ur-whale
I agree.

But there's unfortunately no regulation in place to insure that.

And if there were, GDPR style, there would still be the matter of:

    
    
        - enforceability
    
        - exceptions for to e.g. authorities

------
achillean
There is currently 904.8 TB of data available on Internet-exposed Elastic
clusters. Here is an overview of where these servers are located:

[https://www.shodan.io/report/yhaN9gje](https://www.shodan.io/report/yhaN9gje)

~~~
mtremsal
2.6MB per person on average? That's a lot of personal data...

~~~
INTPenis
An exposed elasticsearch server does not equal personal data though. It can be
used for anything really. I have two systems that use ES and none of them for
personal data.

------
hopeless
A lot of people complained that GDPR was too onerous on small firms and that
they should be exempt. According to LinkedIn
[https://ie.linkedin.com/company/exactis-
llc](https://ie.linkedin.com/company/exactis-llc) Exactis has just 10
employees (obviously some error possible. Call it 15-20?)

Now do you think small firms can’t hold large quantities of damaging data?

~~~
lucb1e
That sounds a lot like "I told you so" tone when I still disagree with you.
But in case you're here to talk about it and not just to assert your version
of the truth, no, I don't think anyone ever claimed that small corps are a
loophole. Then big corps would just delegate it to a shell company and be done
with it. European law is, to the best of my knowledge, fairly reasonable: if
you do something wrong regarding privacy either because you didn't know (like,
you tried to follow GDPR but missed something) or do a small thing, you won't
get ridiculous fines. But if you're a 10 person company working with huge
amounts of personal data and you were grossly negligent, then of course
they'll look at that differently from a 10 man company that produces pencils
for retailers and incorrectly stored customer's delivery addresses.

~~~
faho
What I'd love to know is how much of that is codified law (as in in the actual
act) as opposed to just expected to come from reasonable courts.

~~~
hydrox24
Courts will always base their decisions on case law, and I suspect that you
can reasonably expect a certain kind of GDPR case law to arise, given what the
standing case law is already.

~~~
raarts
The EU has a civil law system where the US has a common law system.

Common law gives judges an active role in developing rules; civil law is based
on fixed codes and statutes.

Case law is not binding in the EU.

~~~
chimeracoder
> Common law gives judges an active role in developing rules; civil law is
> based on fixed codes and statutes.

This is a dramatic and misleading oversimplification. Under civil law systems,
judges still do have great leeway with interpreting and applying regulations.
And under common law, it's not really true that judges have an active role in
developing rules - they have the ability to interpret them in the contexts of
cases which come up, but they don't legislate. The closest thing that they can
do (aside from overturning provisions) is to introduce limitations or tests on
existing law that is challenged, but even then they're mostly only allowed to
do that to the extent that they are using the tests to connect the law back to
the Constitution or other existing legislation.

Case law is not binding in civil law (at least not to the same degree as it is
under common law), but does definitely play a significant role.

Furthermore, it's flat-out wrong to say that "case law is not binding in the
EU". The Republic of Ireland and the UK both use common law, under which case
law _is_ binding. Not only are UK court decisions are enforceable across the
entire EU, but UK law is actually the jurisdiction for a lot of contracts and
agreements within the EU, similar to how New York is the chosen jurisdiction
for a lot of contracts or even international treaties that are enforced
worldwide, whether or not the parties are based in New York.

Even if you're referring specifically to legislation passed by the European
Parliament itself, it's still not really correct to say that case law isn't
binding. The European Parliament is an international body held together by
international treaties, and while EU courts might have decided to use civil
law in interpreting legislation passed by the European Pariament itself, that
doesn't mean that case law does not come into play, either in countries with
common law systems or even in countries with civil law systems. It's way more
complicated than that.

This is, incidentally, one of the problems that Brexit is currently
introducing: it's unclear whether parties that have elected to govern their
contracts under UK law will continue to be able to do so with the expectation
of enforceability.

------
tbrock
Is there a torrent yet? I want to lookup my own data.

~~~
astura
It was discovered by a white hat; he didn't publicise a data dump.

~~~
jacquesm
Let's hope they were the first to discover it.

~~~
Rjevski
I hope they were not and this data ends up public.

I’d love to search this database for the details of top people at privacy-
violating companies and publish them.

~~~
macintux
> I’d love to search this database for the details of top people at privacy-
> violating companies and publish them.

Who defines "privacy-violating"? Jumping into the mud because you feel
aggrieved just makes you look like a pig.

~~~
Rjevski
Facebook? Equifax? Ad networks?

Basically anyone who profits off user data and makes it difficult/impossible
to opt-out.

~~~
astura
This is pretty silly, you're going to publish something everyone already
knows? What do you think that's going to accomplish? Most of these companies
are publicly traded and finding top people in the private companies is just a
Google search away. This business is all done out in the open.

You can even force the companies subjected to the FCRA[1] to give you a report
on exactly what they have on you.

[1] They are subject to the FCRA if the data is sold to companies who make use
of it in credit, employment, and housing decisions.

~~~
jacquesm
It's not all that silly actually. Politicians and corporate CEOs make the
decision but rarely are on the receiving end of the fall-out. By concentrating
on them and by distilling out that information from a much larger body of data
enough of an embarrassment could be put together that they might start to pay
attention.

As long as all those needles are safe in the haystack they can be ignored, a
stack of needles on the other hand is not so easily ignored.

------
axaxs
When will this stop? When's the last straw? If I gave a bank 100 dollars, and
they lost it, I'd have avenues with which to pursue some sort of justice. If I
give a company my data, and they lose it, oh well. I wish all personal data
was treated like HIPAA, at a minimum.

~~~
craftyguy
> When will this stop? When's the last straw?

When the top folks in the US government are personally affected. Until then,
"congressional hearings" and presidential ambivalence is the most action we'll
get out of them. Most people don't really understand what the significance of
these events are.

~~~
JumpCrisscross
> _When the top folks in the US government are personally affected_

The OPM breach covered a lot of powerful senior people.

~~~
astura
Not only that, but the Russian site exposed[dot]su has published personal
information, including SSNs, about a lot of powerful people, including
Michelle Obama, Robert Mueller, Eric Holder, and Hillary Clinton.

[https://krebsonsecurity.com/2014/03/who-built-the-id-
theft-s...](https://krebsonsecurity.com/2014/03/who-built-the-id-theft-
service-ssndob-ru/)

------
j16sdiz
I still can't understand why leaking SSN should do me harms. These are primary
key, not crediential. But everybody is treating them as crediential.

~~~
test6554
Tell me about it. We need a government account that grants access to banks and
utilities via oauth or some other cryptographic protocol that allows
revocation at will.

~~~
astura
Except that's a political nonstarter in the US. The military has a 2FA
smartcard authentication system that works really well, so it's not like it's
infeasible.

A number of of very different groups are very opposed to the very idea:
libertarians, (some) Christians, and (many) civil rights activist being the
most vocal.

------
codedokode
It is obvious that selling customers' data gives more profit than not selling.
No wonder that in countries with little regulation personal data are collected
and sold in mass. It is the most profitable strategy for companies that have
those data.

------
mtully
As a US citizen, traveling in the EU, what rights do I have under GDPR? Can
request data and erasure from Exactis while abroad?

~~~
EuCitizen2018
No, as a US citizen you have no such GDPR protection. If Exactis operates also
in the EU, Eu citizens may request their data or erasure of their data from
Exactis.

------
fouc
> "I don’t know where the data is coming from, but it’s one of the most
> comprehensive collections I’ve ever seen"

> Each record contains entries that go far beyond contact information and
> public records to include more than 400 variables on a vast range of
> specific characteristics: whether the person smokes, their religion, whether
> they have dogs or cats, and interests as varied as scuba diving and plus-
> size apparel.

It might be "comprehensive" but is it comprehensive in a scary way? It's
probably just 400 machine learning features that are estimating what people
might like, so not necessarily super accurate?

~~~
dredmorbius
False or misleading information can also be harmful, if widely disseminated.

Birth certificates. Creditworthiness.

 _At the age of 54, Sigmund Arywitz was a healthy American success story. He
was making $30,000 a year as executive secretary and treasurer of the Los
Angeles County Federation of Labor, AFL-CIO, his family was sound, his
reputation high on all counts, and he had just finished eight prestigious
years in Sacramento as state labor commissioner under Gov. Edmund G. (Pat)
Brown. But something was awry. In the space of one year, five Los Angeles
department stores refused Sig Arywitz charge accounts, and a major car-leasing
company turned him down for credit -- even though he had a walletful of oil-
company and other credit cards and had always paid his bills on time...._

1970

[http://www.thedailybeast.com/articles/2013/06/11/is-
privacy-...](http://www.thedailybeast.com/articles/2013/06/11/is-privacy-
dead.html%EF%BB%BF)

See also: Cardinal Richelieu.

~~~
severine
> See also: Cardinal Richelieu.

Context on the reference:
[https://history.stackexchange.com/questions/23785/what-
did-r...](https://history.stackexchange.com/questions/23785/what-did-
richelieu-mean-by-his-six-lines-quote)

------
gregjwild
More and more this just feels like the modern crisis of capitalism. The
declining rate of profit is so extreme that we have to institute a corporate
marketing panopticon designed to sell you shit you don't need, to the extent
we're willing to risk that panopticon leaking dangerous information to non-
state actors that could lead to theft, extortion, or worse.

And we're not even beginning to think about what this can be used for by
authoritarian regimes (cf.
[https://www.madamasr.com/en/2014/09/29/opinion/u/you-are-
bei...](https://www.madamasr.com/en/2014/09/29/opinion/u/you-are-being-
watched-egypts-mass-internet-surveillance/))

~~~
wu-ikkyu
>And we're not even beginning to think about what this can be used for by
authoritarian regimes

"Big data" was crucial to the operational efficiency of the Holocaust

[https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust](https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust)

------
mic47
I think that the right title should be "Marketing Firm Exactis Exposed a
Personal Info Database with with 340M Records on Internet". This is not a
leak, at least there is no evidence of it yet. While this does not downplay
this security "mishap", there is still big difference between "someone rob a
bank" and "bank left their vaults open".

OTOH, it would be interesting to know how did they get hold on such data.

~~~
pbhjpbhj
Unusually for me I find your pedantry here too quibbling - even if the bank is
left open taking the money is still theft (robbery is with threats/force in my
jurisdiction, UK).

~~~
azeotropic
The point is there's no evidence a robbery occurred. Someone phoned the bank
and told them they saw the vault was left open and that they had better count
the money. Nobody knows whether anything was taken yet.

~~~
spydum
What is messed up is if the firm doesn't have sufficient visibility/logging,
they can claim "no evidence" the data was accessed (purely because they Had
their eyes closed). IMHO that is negligent - but sadly the various laws tend
to support it.

------
empath75
This will continue to happen until the laws change such that holding personal
information is a liability, not an asset.

------
rishabhd
Where is the american version of GDPR when we need it? This is arguably worse
than Equifax one.

edit: nope, this is infinitely worse.

~~~
labster
It's coming to California in 2020:

[https://news.ycombinator.com/item?id=17420849](https://news.ycombinator.com/item?id=17420849)

------
astura
What is the source of this data?

Without more information I can only assume they are scraping public records
just like sites like Spokeo etc. Perhaps with some data analysis thrown in.

So I don't see much of a personal concern; especially since their business
model appears to be selling this very data!

~~~
greglindahl
I think you're a bit confused by what data Spokeo has. Most of it is generated
on the fly when you do a query, by scraping other sources.

~~~
astura
That's what I mean though.

If this data comes from just scraping other sources that are freely and
publicly available and applying some shitty data analysis on it, why should I
be particularly concerned? The data itself is already out there for someone to
find if they wanted to or even buy it from this company if they are too lazy
to scrape themselves.

However, the source of the data wasn't in the article.

------
asimpletune
I think a lot of these incentives could be resolved by just treating data as a
liability.

------
sorokod
_William Pearson

CTO

Will is a highly accomplished IT Executive designing and developing self-
service software applications built on BIG Data, running in Cloud
Infrastructure in highly secure environments, leveraging analytics and
yielding high profits and rapid growth.

He is responsible for technology strategy which includes highly accurate and
automated data processing, cloud infrastructure, MS Azure platform-as-a-
service, Cloudera / Hadoop Data Management Platform, APIs, Marketing
Automation Platform, Analytics, and Digital Marketing._

( [http://www.exactis.com/about-us/](http://www.exactis.com/about-us/) )

highly ironic

------
psergeant
I wonder what’ll happen if they’ve sucked up a bunch of European data too

------
394549
Has anyone mapped out all of the data brokers that are active in the US, what
information they collect, what their sources are?

I imagine a lot of that info is proprietary, but I'd really like to understand
this industry better. It's probably a foolish hope, but I really hope there
are a few main choke points that one could opt-out of. If that's not possible,
I could always try to inject bad data into the system, if I know what their
inputs are.

------
DmitryOlshansky
Yeah. I’m not a god or smth, but I’m ashamed of “experts” that work(ed?)
there.

At the very least it’s a pity that even good people make _mistakes_ like that.

Untill that day, whatever I do that is at least robust, diesn’t require
mainatance each 2-3 months etc. not even fast, just decent.

In short while our idustry _features_ stuff like that I will be angry, sad
etc. But boy I will always have money, I might have a lot _fun_ at least for
some definition of fun!

------
djrogers
Don't you love it when a conpany you've never heard of turns out to have a ton
of personal info on you, and then jsut gives it away?

------
JustSomeNobody
Fortunately, at this point, with all the leaked data, it's nothing really new
that others don't already have.

Seriously, though, this is just getting out of control. I'm almost to the
point of writing my representatives. I don't think the industry can adequately
self-police.

[Edit] By "industry" I mean _any company_ who handles my personal data.

------
zeroisnowfour
"Marketing Firm doxes 340M victims"

------
usermac
This always makes me think that if we had a semantic web that this would be
unnecessary. I know, I know, that's unrealistic but hear me out. It means that
you wouldn't have to hoard data such as in this case. Yeah I know, terrible
idea but I think about this logic.

------
EGreg
Why exactly are people not paying more attention to projects like MaidSAFE
which are working diligently to _solve_ these problems once and for all?

Why do we assume we have to make an arbitrary choice of landlord to trust just
so we can get basic things done on the Internet?

------
auslander
Don't forget that _you_ leaked all that info in the first place.

Do you use ad-blocker, vpn, private browsing, same on the phone too? All
privacy settings in facebook, avoiging gmail and google? No?

At least teach your kids to.

~~~
seandougall
You go through all that trouble, and yet ... you have a Facebook account?

Anyway, the info being leaked here isn't dependent on browsing history.
Companies have been gathering these sorts of profiles far longer than most
people have been using the Internet. The only way to avoid it is not just to
never have Internet access at all, but never have a credit card or a bank
account, never own a house or sign a lease, never drive a car, never register
to vote, etc. If you do any of those things, even temporarily, you could be
leaking information that can't be unleaked.

~~~
auslander
True, its impossible to stop banking leaks. I recently found that Visa and
MCard sell not only transaction totals, but _Itemised_ data, like eggs, 2x
milks, chocolate brand. I guess I'll fill my wallet with cash for shopping.

Many people cannot jump off facebook. I just use Messenger for comms.

And its no trouble, after setting all up, in few months, you'll hardly notice
it, it will be new normal.

Forgot to add, use several emails, one for government, one for facebook, for
ones you will not use, like shop and blog accounts - create few protonmail
ones, it will be harder to put them all together by data mining.

If registration page asks, give fake names, DOB, phone numbers. Make it a
habit asking yourself - do this shop really needs this data be real?

------
chatman
And, they made fun of RMS... He was telling you what the future holds. This is
just a trailer of what is to come.

~~~
jonhendry18
Information wants to be free. That includes information you don't want to be
free.

~~~
wglb

        Information wants to be free
        Unless it is about me

------
throw23
Whats the big deal isn't this going to be same copy of data that was
previously leaked in other leaks.

What new category of data is leaked in this?

------
rocketperson7
Does anyone else feel like this could just be a kind of stunt pulled out of
thin air described by "Trust me, I'm lieing"?

------
aalleavitch
This is laughable. Data security is a fairy-tale. We've all been bought and
sold and there is nothing any of us can do to fix it.

~~~
mmiller9
Erm, not opening up this fucking Elasticsearch instance to the entire internet
would be a pretty easy way to get like 90% of the way there. I do operations.
I can tell you exactly how not to make rookie mistakes like this. But security
isn’t sexy, and it isn’t profitable, so it falls by the wayside.

~~~
aalleavitch
The problem isn’t that these people are incompetent at network security (they
are), the problem is that these people had your data to begin with. Data
security is impossible because there is a massive shadow market for your
entire life history and no amount of privacy setting theater will make up for
the fact that your personal data is currently the target of an insatiable
feeding frenzy.

------
ur-whale
Obligatory flashback: [https://www.wired.com/1999/01/sun-on-privacy-get-over-
it/](https://www.wired.com/1999/01/sun-on-privacy-get-over-it/)

------
Rjevski
Would be good to get a copy of this database to search the details of top
executives involved in privacy-violating companies and publish them.

~~~
test6554
Not likely

------
azinman2
And... no one will go to jail.

~~~
microcolonel
Who exactly should go to jail, and what would that help?

For all the do-something-ism in the world, doing "something" often amounts to
making things worse, while allowing actual avenues for improvement to fester.

~~~
aalleavitch
What will help?

~~~
microcolonel
Find a way to use the unique position of the operators of this database to
assist those affected in preventing identity theft and other threats which are
worsened by the leak. Maybe figure out if there is money out there to account
for the cost of that.

------
jonhendry18
So what are the odds someone at Exactis was paid off to loosen the access
controls and provide relevant access info to the buyer?

A lot of people would probably do that for a chunk of money.

Starting to think that with databases like this, any configuration change that
involves exposure to the internet should involve two company officers turning
keys like in a nuclear missile launch.

------
rpearl
"exposes" here is quite a strange term, because their entire business is
selling that same data.

The only difference is that it was briefly available without a price tag.

~~~
test6554
That assumes they would sell to absolutely any group including terrorists,
hate groups and sanctioned countries.

At least without the leak they have the option to refuse.

~~~
wu-ikkyu
>That assumes they would sell to absolutely any group including terrorists,
hate groups and sanctioned countries.

Shell companies and fronts are a great workaround for that.

How do _you_ know who they sell to? And then, after it's been sold the first
time, how do you know where the copies of that data are being sold to by the
buyer?

Turtles all the way down.

------
burntrelish1273
_Every American 's DNA was leaked and a malicious AI bot is making a
customized oncovirus for each if they visit Washington, D.C. "Oops, our bad.
Here's a coupon half-off Tamiflu."_

Externalities of data breaches keep increasing.

~~~
arpa
You should write a modern cyberpunk story!

~~~
burntrelish1273
Dick is my middle (nick)name, but my name isn't Philip K. Dick. I'd be
turgidly-pressed to write anything comprehensible, much less worth reading.
And I'm already starving, I'd have to lop off more than my ears to be a proper
starving artist... oh wait, that didn't come out right. Nothing to see here,
carry on.

~~~
arpa
All i'm saying is that i liked your short vision of a possible reality, and
i'd love to read even a short story about it. Hell, i'd _write_ a short story
about it, although i doubt my english is good enough for anything beyond
simple small talk; i envy people with more imagination than i have. That being
said, why are you starving, man? I've gone through some of your comments, and
it seems you are having some sort of trouble with the mind parasites. I have
no idea whether it is possible to pm on hn, but, should you need an anonymous
ear, i've been told i am a good listener. Otherwise, i just want to tell you
that if you put your mind to it, you will find the source of power inside of
you with some help or without, and things are going to work out. Oh, and read
mind parasites if you can - it has helped me with my depression quite a bit.

------
mr_spothawk
spoiler alert: nobody goes to jail.

~~~
hn_throwaway_99
In all seriousness, what law (in the US) has this company broken? I'm assuming
all the data they got was somehow obtained through legal channels in the first
place?

People may be up in arms about this being a "breach", but think about it:
they're a "data brokerage" company. Consider this breach a sale price of $0.
My point is what should be scary is that all of this data is bought and sold
about all of us, all the time, in the first place.

~~~
mmiller9
Just because it’s legal doesn’t make it right. No, there is no law against
this. That’s a problem, and it will continue to be a problem until it either
affects enough CEOs or some Congressman’s kid gets screwed over by it. Until
then we’re all going to be forced to clean up the messes ourselves.

~~~
hn_throwaway_99
I'm not saying it's right, but the original comment was basically complaining
that no one will go to jail for this. People shouldn't go to jail for things
that are subjectively "wrong" if they're not illegal.

------
jimjimjim
there is never any punishment for corporations.

death's too good for them.

~~~
castis
What a shitty thing to say. Suggesting that death is a reasonable response to
this is absurd.

~~~
jacquesm
A corporation dying is the equivalent of revoking their corporate charter, no
reason to respond as though we're talking about actual people.

