Photo: Ryan Ketterman
Inside one company's damaging data-security lawsuit
Last June, an obscure Palm Coast firm briefly made national news for inadvertently exposing data on consumers and businesses to hackers. Headlines suggested much more than a routine data breach. “Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records,” read the headline on Wired, which broke the story June 27. The researcher who was the story’s source said the database looked to contain data on “pretty much every U.S. citizen.” The next day, the first suit seeking class-action status was filed against Exactis.
Exactis’ CEO, Steve Hardigree, 50, is a talkative man who wasn’t silenced by his lawyers — indeed, he couldn’t find a suitable lawyer for five months. Hardigree offers some insight in how a data-security case can look from the company’s side.
Hardigree moved to Florida in 1982. The first in his family to go to college, he earned a bachelor’s in marketing from Florida Atlantic University and joined a Boca Raton mailing list company. In the early 1990s as email and the web took off, he got the idea of doing email lists. In 1998, CNN profiled him in a story about spammers. That piece said his Internet Media Group would pull in from $750,000 to $1 million that year. He sold that company and semi-retired to Palm Coast, where in 2015 he founded Exactis.
Exactis is the online equivalent of the marketing databases that land a bevy of traffic school fliers in your regular mail after you get a ticket for speeding or the stack of direct mail cards you get from home security and pest control companies after you buy a house. Exactis acquires publicly available data on businesses from places such as the Florida Secretary of State’s corporate records site. It also purchases data on individuals from companies that acquire emails, phone numbers and other consumer marketing data points through online promotions, quizzes — all the stuff where consumers check a box agreeing to having their data shared for marketing purposes.
Exactis, largely mothballed since the disclosure, compiles the data and makes it sortable by fields — like a guess at income based on ZIP code. It then licensesd the data to businesses that want to reach consumers or other businesses.
Hardigree says he worked hard to police the lists so that customers bought quality leads. “You’d be surprised how many John F. Kennedys we get,” he says. Exactis had nothing as sensitive as credit card or Social Security numbers or passwords. “I’ve played by the rules since inception,” Hardigree says, adding that he’s been a member of an industry direct marketing group since the early 1990s.
Then in June, a New York researcher and “ethical hacker” named Vinny Troia did a search looking for exposed data. He found Exactis, contacted the company about its problem and told Wired.
Hardigree says a single server holding company information was inadvertently left unsecured. That “open port” was closed, he says, as soon as Troia’s message got through to the company — the equivalent of forgetting to lock the front door in the morning as you leave for work. There’s no evidence of “exfiltration,” he says — no sign that someone actually went into the files and made off with data.
Hardigree wasn’t prepared for what followed. “I must have had 1,000 calls to my office,” he says, including a death threat. More common were seniors afraid their information had been stolen.
The suit filed the day after Wired’s story called the incident “one of the biggest and most damaging data breach cases exceeding Equifax and other massive data breaches — in both scale and information disseminated,” involving more than 3.5 billion records.
“You talk about a mountain out of a molehill,” Hardigree says. “They thought we were part of Experian. They thought they had a big fish.” The fish actually amounted to a small office in Palm Coast and numbered four partners.
After the disclosure, Hardigree’s colleagues in the company left him. The majority of customers did too. Efforts to obtain comment from Chicago law firm DiCello Levitt & Casey, the top listed plaintiffs firm suing Exactis, weren’t successful. John Yanchunis, of Morgan & Morgan, who also is a lead attorney, says the plaintiffs attorneys had to wait for the company to get a lawyer. That finally happened in November.
Hardigree says the plaintiff firms won’t be able to prove damages because none occurred. He says the company has no assets in any case. The damage to the company might be irreparable, he says, but, “I’m not going to go down without a fight.”
Read more in our February issue.
Select from the following options:
* offer valid for new subscribers only