123m US households exposed by Alteryx cloud storage leak

21 Dec 2017

Information was found on an unsecured server. Image: Dulin/Shutterstock

Data analytics firm Alteryx left a wide range of details exposed on an unsecured cloud repository.

Consumer privacy – or the apparent lack thereof– has returned to the spotlight as security researchers at UpGuard have publicised the discovery of an unsecured Amazon Web Services S3 cloud storage bucket, which contained sensitive information on millions of US residents.

California-based firm Alteryx left reams of data exposed. According to UpGuard, the repository contained massive datasets belonging to consumer credit reporting agency Experian (an Alteryx partner), and information from the US Census Bureau.

Although the census data consists of information that is easily available to the public, Experian’s ConsumerView marketing database holds a mixture of public information and more sensitive details.

Taken in tandem, the exposed data reveals “millions of personally identifying details and data points about virtually every American household”, according to UpGuard’s Dan O’Sullivan, who described it as a “remarkably invasive glimpse into the lives of American consumers”.

Home addresses, contact information, financial histories and specific purchase analysis of millions of people were left unsecured in the bucket.

Exposed data left many vulnerable

Although the accumulation of the data is in compliance with legal guidelines, the exposure of the information could lead to unwanted direct marketing, phantom debt collection or identity theft. No names were exposed in the leak, but that has been deemed insignificant by security experts.

UpGuard noted: “The continuing concentration of data by a number of large enterprises, now wielding powerful technology of the sort provided by Alteryx, has not been accompanied by greater prudence and process improvement necessary to ensure that the data will remain securely stored.

“The result has been, in the same way warming waters increase the power of hurricanes, that data exposures such as this are capable of exposing the vast majority of American households to compromise with one error.”

UpGuard researcher Chris Vickery discovered the bucket in October 2017, and Alteryx said that the database had been secured, downplaying the scale of the leak to Forbes: “Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes.

“The information in the file does not pose a risk of identity theft to any consumers.”

Information would be valuable for the unscrupulous

UpGuard researchers are not so sure that assessment is correct. In their view, the information would be “invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied”.

The company added: “With a large database of potential victims to survey – with such details as ‘mortgage ownership’ revealed, a common security verification question – the price could be far higher than merely bad publicity.”

This incident mirrors the October findings of UpGuard, when unsecured Amazon Web Services buckets used by Accenture were flagged by researchers.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com