A class action lawsuit was filed against Florida marketing data company Exactis LLC alleging a data breach affecting 230 million Americans and 110 million businesses.
“This case concerns one of the biggest and most damaging data breach cases, exceeding Equifax and other massive data breaches in both scale and information disseminated,” the complaint reads.
Palm Coast-based Exactis compiles business and consumer data gathered through cookies. That data is sold to other businesses that use it to create customer profiles and better target their advertising to individuals.
“The problem with this kind of model is that, unfortunately, consumers don’t have a say in where their data goes, who has it, who’s collecting it. Because of that, we have absolutely no control over how to keep it safe from hackers when certain companies decide not to apply a standard level of care or certain safeguards to that information,” said Amy Keller of DiCello Levitt, who is also co-lead counsel in the Equifax data breach case with colleague Adam Levitt.
John Yanchunis of Morgan & Morgan in Tampa leads the Exactis class action on behalf of Kenneth Heretick and consumers nationwide.
Robbins Geller partner Stuart A. Davidson in Boca Raton is also working on the case
Steve Hardigree is CEO of Exactis, a small company with only 10 employees, according to its LinkedIn profile. The company did not respond to a request for comment by deadline.
When news broke Wednesday that Exactis was storing data on “pretty much every U.S. citizen,” Kenneth Heretick of Pinellas County decided to file the suit on behalf of himself and those likely impacted by the breach, Keller said.
Security researcher Vinny Troia of Night Lion Security reported Friday that about 2 terabytes of Exactis information and data on 230 million and 110 businesses “simply sat in public view” and was breached earlier this month, according to the complaint.
Troia unearthed the breach using Shodan, a search engine that enables users to find computers and databases visible on publicly accessed servers with U.S. IP addresses no and password protection.
The complaint alleges theft of personal information, improper disclosure of personal information, untimely and inadequate notification of the data breach, and unauthorized charges on debit and credit card accounts,
“What we’re trying to do here is say that their actions were negligent or they infringed upon certain consumer protection laws,” Keller said.
Ryan McGee, another Morgan & Morgan attorney on the case, said, “We entrust certain companies, when they gather information on us and put it all into a compiled database, that they’re going to do something to protect that database from being breached.”
Under Florida law, a company that becomes aware of a data breach has a responsibility to let consumers know, McGee said.
“That enables them to go in, change their financial information, alert their banks, freeze their credits, purchase credit monitoring protections and everything else so that they don’t get these thousands of dollars on their credit cards,” he said.
In this case, financial information, such as Social Security numbers or bank details, were not necessarily compromised, according to Keller.
Instead, what was gleaned is the type of information that hackers could use to get into financial or personal accounts.
“Sometimes they can engineer ways around the safeguards of financial institutions and other companies that are entrusted with our most personal details,” McGee said.
If an individual’s information is leaked in this way, he said they can potentially become a victim of fraud.
A searchable PDF file, for example, could have as many as 400 data points on an individual consumer, McGee said.
“Whether you’re a smoker, what kind of car you bought in the last few years, your mother’s maiden name. Those are things that someone could use to answer security questions with your bank account, for instance,” he said.
Keller insists America is in dire need of a federal law to tackle this issue.
“There’s a patchwork set of laws made by each state as to how data is protected but really we should be taking some cues from Europe, which just passed one of the most comprehensive data security laws that allows people to have an understanding of where their data is and how it’s controlled,” she said.
McGee has himself been the victim of a data breach, which resulted in credit card fraud.
“I think about $3,000 in Uber Eats was ordered in a matter of hours,” he said. “Once you’re breached, the damages rack up very quickly.”
“We are not necessarily looking to put the company out of business,” Keller said. “But we want to make sure that they adopt best practices and they ensure that no data was actually exfiltrated or taken by hackers, and that they adapt certain policies to ensure that this kind of thing doesn’t happen again.”
The plaintiffs now await the response of Exactis’ counsel, who is not listed in court papers.
“As we’ve seen, the government isn’t really getting involved in data security, so it really depends upon the private civil justice system to take up these causes and make sure data is protected through lawsuits, to figure out if the conduct was illegal or not and what kind of damages people should be entitled to because their data compromised,” Keller said.
Read the complaint: