340 Million Records, $20 Million in Fallout: The Exactis Breach That a Properly Drafted Software License Agreement Could Have Prevented

Ramyar Daneshgar

22 Apr 2025 — 6 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Looking for a security engineer? Visit SecurityEngineer.com

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Introduction

Software license agreements (SLAs) have historically centered on usage rights, indemnification for intellectual property infringement, and payment obligations. However, in an environment where cloud-native services, containerized applications, and API-based integrations form the backbone of enterprise infrastructures, the absence of well-defined security provisons within SLAs can convert ordinary contracts into latent liability vectors.

This case study examines the breach of Exactis LLC, a data aggregation firm that inadvertently exposed 340 million personal records through the misconfigured deployment of Elasticsearch, a widely-used open-source search and analytics platform. The exposure stemmed not from a sophisticated adversary, but from the absence of enforceable license provisions governing secure configuration, vendor responsibilities, and post-incident obligations. The legal, operational, and reputational fallout is estimated to have exceeded $20 million.

Timeline of the Incident

May–June 2018: Researcher Vinny Troia identifies an Elasticsearch instance operated by Exactis accessible over the public internet without authentication.
June 26, 2018: Wired publishes a report revealing that 230 million consumer and 110 million business records were publicly accessible.
Q3 2018: Regulatory inquiries begin. Multiple class action lawsuits are filed. The misconfigured server is decommissioned.
2019–2020: Exactis contends with litigation expenses, reputational erosion, client attrition, and remediation obligations.

Technical Summary of the Breach

Affected System:
A publicly accessible Elasticsearch cluster deployed with its default configuration on a routable IP address. The instance lacked both authentication mechanisms and network-layer access controls, exposing the dataset to unauthenticated external queries.
Data Exposed:
Over 2 terabytes of structured and unstructured data encompassing: While no financial data or Social Security numbers were present, the scope and granularity of the personal information significantly elevated the risk of identity theft, consumer profiling, and regulatory scrutiny.
- Full names and physical addresses
- Email addresses and telephone numbers
- Demographic profiles (age, gender, marital status)
- Behavioral segmentation and consumer interest data
- Business contact records
Security Control Failures:
- No authentication or access control: The cluster lacked user-level authentication, role-based access control (RBAC), or token-based API gating.
- No encryption at rest or in transit: The data was stored in plaintext and accessible via HTTP without Transport Layer Security (TLS).
- No network segmentation: The instance was not isolated behind a firewall or VPN and lacked subnet restriction or ingress controls.
- No audit logging or monitoring: There was no evidence of centralized logging, SIEM integration, or alerting on abnormal access patterns.

Contractual Failures: What the SLA Did Not Address

Exactis deployed Elasticsearch under the Apache License 2.0, a permissive open-source license that expressly disclaims all warranties, including those related to fitness for a particular purpose or merchantability. Crucially, it contains no security obligations, no configuration support requirements, and no vendor accountability for downstream misuse or exposure.

At no point did Exactis enter into a commercial license or support agreement with Elastic N.V., the entity responsible for maintaining and distributing the commercial version of Elasticsearch, which includes hardened security modules, access controls, and enterprise support. As a result, there was no contractual mechanism in place to enforce security baselines or ensure vendor engagement in the event of a breach.

This legal posture left Exactis without enforceable terms related to:

Baseline configuration standards for secure deployment.
Mandatory disclosure of known insecure default behaviors.
Technical support obligations for deployment, hardening, or validation.
Incident response cooperation, including breach notification timelines.
Exceptions to liability disclaimers where vendor defaults materially contributed to the exposure.

Missing Provisions and Associated Security Consequences

Omitted Contractual Provision	Security Consequence
Secure-by-default deployment clause	Permitted use of software with open ports, no authentication, and unrestricted access controls.
Disclosure of default security posture	No obligation to inform users that the software shipped with insecure configurations.
Configuration support and validation	No contractual duty to assist in secure implementation or verify compliance with best practices.
Incident response and forensic support	Vendor not required to participate in breach containment or regulatory notification processes.
Liability carve-out for insecure defaults	Full indemnification for vendor—even where default configurations directly enabled data exposure.

Without a tailored license, security addendum, or vendor accountability language, Exactis operated with an elevated risk profile and no contractual recourse—effectively assuming unilateral liability for vulnerabilities that originated with the software provider.

What the Agreement Should Have Included

To mitigate this risk, Exactis should have negotiated or executed a software license agreement that explicitly assigned security responsibilities, disclosure duties, and enforcement mechanisms.

Recommended Security Clauses for SLA Enforcement

Clause	Purpose	Risk Mitigation
Secure Configuration Requirement	Mandates closed ports, authentication, and access controls in the base installation.	Prevents deployment with unsafe defaults.
Security Posture Disclosure Warranty	Requires vendor to disclose all known default vulnerabilities and risk-prone configurations.	Enables informed risk assessment by the licensee.
Deployment Guidance and Hardening Obligation	Imposes a duty to deliver security configuration documentation and production-ready deployment guides.	Minimizes misconfigurations by operational teams.
Security Features as Standard Deliverables	Requires bundling of TLS, RBAC, audit logging, and encryption without requiring additional licensing.	Establishes a secure-by-design deployment baseline.
Breach Response Cooperation Clause	Requires timely vendor assistance during incidents, including forensic logs and advisory support.	Accelerates breach containment and facilitates legal/regulatory compliance.
Joint Liability for Default Vulnerabilities	Voids liability disclaimers where insecure defaults are the proximate cause of data compromise.	Incentivizes vendors to adopt secure defaults and assume shared responsibility.
Audit and Verification Rights	Permits the licensee to review the software’s security posture, patch cadence, and vulnerability disclosures.	Empowers the customer to ensure compliance with internal and legal standards.

Such terms are appropriately negotiated into Master Services Agreements (MSAs), Software License Agreements (SLAs), or Data Processing Agreements (DPAs) where the software will process personal data or interface with regulated systems.

Legal Fallout and Economic Impact

Though Exactis avoided formal federal fines—due to the pre-CCPA timing—the aftermath was extensive:

Litigation: Multiple negligence-based class actions were filed. Most were dismissed due to the absence of financial identifiers, but legal defense costs were considerable.
Regulatory Investigations: While not fined, Exactis faced inquiries and follow-up audits that delayed operations and led to mandatory security reforms.
Client Losses: Enterprise customers terminated contracts citing inadequate vendor risk management and lack of breach prevention controls.
Remediation Expenses: The company was compelled to redesign its infrastructure, implement segmentation, and retain third-party security consultants.

Estimated Total Cost: $20–25 million across legal, operational, and reputational domains.

How to Spot Weak Licensing Terms

When evaluating a software license agreement, master services agreement (MSA), or vendor contract, the following omissions often indicate inadequate allocation of cybersecurity responsibilities and an unacceptable level of retained risk for the licensee:

No affirmative security obligations
The agreement does not require the vendor to implement or maintain technical safeguards such as access controls, encryption for data at rest and in transit, secure audit logging, or segregation of customer data from other tenants or services.
Overly broad disclaimer language
The presence of terms such as “as-is,” “no warranties,” or “use at your own risk” indicates that the vendor is disclaiming responsibility for defects, vulnerabilities, or misconfigurations - regardless of whether they result in a breach.
Lack of breach response and notification terms
The contract does not obligate the vendor to notify the licensee of a security incident, share forensic evidence, participate in containment or recovery efforts, or assist with regulatory reporting timelines.
No audit or verification rights
The licensee is not granted any right to audit the vendor’s security controls, review patch or vulnerability management practices, or obtain evidence of compliance with baseline security requirements.
No disclosure of insecure defaults
The vendor is not required to inform the licensee about configurations that expose the system to unauthorized access by default, such as unauthenticated interfaces, open network ports, or disabled logging mechanisms.

Any one of these gaps may leave your organization contractually exposed. When present together, they create a complete absence of enforceable cybersecurity assurances, effectively shifting all technical and legal risk to the licensee and providing no basis for vendor accountability in the event of a breach.

Conclusion

The Exactis breach illustrates the consequences of omitting enforceable cybersecurity provisions from a software license agreement. In the absence of contractual terms addressing secure configuration, vulnerability disclosure, incident response coordination, and allocation of liability, the licensee bears full exposure to operational and regulatory risk arising from vendor defaults.

Software license agreements should clearly define technical safeguards, assign security responsibilities, and establish obligations for breach management and compliance support. These provisions must be incorporated as binding terms within the governing contract.

Security requirements must be expressly negotiated, documented, and enforced through contract - and not assumed.

CybersecurityAttorney+ gives privacy professionals the insights, case law, and audit tools they need to stay ahead of CPRA, GDPR, and FTC crackdowns.

Inside, you’ll get:

Deep-dive breach case studies with legal + technical analysis
Proven strategies to stay ahead of CCPA, CPRA, GDPR, and global regulators
Frameworks and tools trusted by top cybersecurity and privacy law professionals
Exclusive enforcement alerts and litigation briefings you won’t find anywhere else

Don’t get caught off guard. Know what regulators are looking for.

👉 Join CybersecurityAttorney+ →