A cloud-based data repository from a data analytics firm was left publicly exposed, a security firm has just revealed. The exposed data included “billions of personally identifying details” on 123 million American households — “virtually every American household.”
The report comes from UpGuard, a security firm that also discovered a similar issue with consulting and management firm Accenture earlier this year. You’ve probably never heard of Alteryx, but the analytics firm’s exposed data sets belonged to the firm’s partner Experian — the consumer credit reporting agency — as well as information from the U.S. Census Bureau.
The two data sets, when used together, would allow malicious actors to access a veritable treasure trove of personal data including addresses, phone numbers, specific household information — including ages, genders, occupations, and marital status of who lives in a home — and very specific personal information about consumer demographics and property. The exposed ConsumerView file, which contained very specific information marketing data on American households, was “likely created” in 2013, according to UpGuard.
Forbes contacted Alteryx, and the firm downplayed the leak, saying there was no risk of identity theft. “Alteryx secured the bucket, removed the file and has taken steps to prevent this from happening in the future. Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information,” an Alteryx spokesperson told Forbes.
Experian had a similar statement, saying that the data contained no names or personally identifying information, and that Alteryx had taken care of the issue. UpGuard’s Chris Vickery told Forbes the responses were “incredibly misleading.”
Vickery said, “Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information.” Vickery maintains that even without names, this information can be used to put together a picture of someone’s life. And once you have specific geographic and residential information, it wouldn’t take much extra effort to find a name to match the data.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, agreed with Vickery, and he told Forbes that names aren’t even necessary to some malicious actors. As he noted: “If you are trying to decide what houses on a block to rob, you don’t care about the names of the people that live there.”
Easy To Access
As UpGuard’s post reveals, the data — found in an Amazon Web Services S3cloud storage bucket — could have been accessed by anyone with an Amazon AWS account. More than a million people have AWS accounts, and registration is free.
UpGuard also points at the larger challenge which could allow data to continue to be exposed: while one company may have their own cybersecurity in order, if that company is sharing data with other firms, all of those firms must be using proper security procedures, as well. As the post notes, “a weaker link can be fatal throughout the chain.”