Class Action Claims Massive Exactis Data Breach Caused by Failure to Employ ‘Most Basic Forms of Security’

New to ClassAction.org? Read our Newswire Disclaimer

Exactis, LLC has been hit with a proposed class action lawsuit over a data breach that allegedly exceeds the Equifax fiasco in both the scale and value of consumer and business information left exposed on company servers.

Exactis is a leading compiler and aggregator of business and consumer data. The company houses more than 3.5 billion business and consumer records containing not just phone numbers, home addresses, and e-mails, according to the lawsuit, but also personal interests, ages and genders of consumers’ children, and “other extremely detailed, personal information” that in some cases exceed 400 data points per business or individual.

Despite being aware of the gravity of and hazards associated with safeguarding such an extensive trove of weaponizable data, Exactis “failed to employ even the most basic forms of security,” the lawsuit alleges. As a result, the company left on a public server the information of more than 230 million consumers and 110 million businesses “bare, unprotected, and available to anyone to download,” the lawsuit claims. The “expansive database” of consumer and business information—approximately two terabytes-worth of data—was discovered by Night Lion Security researcher Vinny Troia, who reportedly stated that the cache contained information on “pretty much every U.S. citizen,” according to the complaint.

From the lawsuit:

“Citizens from across the United States have suffered real and imminent harm as a direct consequence of [the defendant’s] conduct, which includes: (a) refusing to take adequate and reasonable measures to ensure its data systems, as well as the data stored therein, were protected; (b) refusing to take available steps to prevent the breach from happening; (c) failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard Personal Information; and (d) failing to provide timely and adequate notice of the data breach.”