The Exactis Security Incident: What You Should Know
You may have read news stories this summer about a security incident involving a company named Exactis. This company is a data broker that collects personal information like email addresses, names, and other details for marketing purposes. An Exactis data set of 340 million American records—including some Davidson individuals—was inadvertently made public this summer. While Davidson was not compromised, the personal information breached by Exactis could be used by malicious actors in the future.
How does this breach affect me, and what should I do now?
Technology & Innovation (T&I) has determined that a number of Davidson email addresses (but not passwords) were collected by Exactis and were part of their data set. These data were not from Davidson systems, but rather from Exactis' ongoing data collection from public sources. While public access to these type of data is not inherently dangerous, we ask that users remain vigilant.
It is possible that malicious actors could use the specificity of these breached records to develop more sophisticated and tailored phishing attempts. If you receive an email that seems suspicious, it is always best to forward such messages to firstname.lastname@example.org for a security analysis. Messages from unknown accounts, even if tailored to you with specific information, may still be malicious. Remain skeptical of these messages, and remember that T&I is always available to help you clarify whether a message is safe to open.
What is Exactis?
Exactis is a Florida marketing firm that collected information on consumers in order to tailor ads to users across the web. Their expansive database of consumer records was stored insecurely on a public server. Although the data were at one point publicly available, it is not known if the data have been accessed or used by malicious actors. Exactis has, at this point, removed all records from public servers.
What kind of data was exposed in the breach?
Data exposed ranges from simple information such as one's name, to more sensitive information such as one's physical address, date of birth, or income level. Notably, account passwords, Social Security numbers, and banking details were not exposed. The following types of data are known to have been exposed by the breach:
- IP Address
- Marital Status
- Personal Interest
- Phone Number
- Physical Address
- Credit Status Information
- Date of Birth
- Email Address
- Financial Investments
- Homeownership Status
- Income Level
How does Davidson protect my information?
Davidson currently follows industry best practices to protect user information. T&I staff are always working to assess security threats in order to keep our community safe. We are continually striving to improve our information security, and are happy to provide departments or individuals with assistance on how to best protect yourself. To learn more about how you can keep yourself safe on the web, contact Nile Chau ‘18 (email@example.com), T&I's Cybersecurity Fellow, to set up a security consultation.
If you have any questions regarding this notice, please email Technology & Innovation at firstname.lastname@example.org, or give us a call at 704-894-2900.
- August 23, 2018
- Technology & Innovation