Detailed information on more than 120 million American households was recently found unprotected online. This is the latest in a string of instances highlighting insecure cloud storage.
Similar to the recent data leaks at Accenture and the NSA, UpGuard discovered a massive data leak at marketing analytics company Alteryx. In all three incidents, an unprotected Amazon Web Services storage bucket held the sensitive data.
Data Breach Details
- The storage bucket used by Alteryx was configured via permission settings to allow any AWS “Authenticated Users” to download its stored data. Anyone signing up for an AWS account could then gain access to this bucket’s contents.
- Over 240 data fields were listed for each household. Data included home addresses and contact information, mortgage ownership, financial histories, and purchasing behavior.
- While names were not part of the data, the detailed information present in the bucket could be misused in the form of spamming, unwanted direct marketing, or through the use of personal details for identity theft and security verification.
- UpGuard confirmed through further research that Alteryx is a partner of both Experian and the US Census Bureau, highlighting the dangers presented by third-party vendor risk.
Alteryx took action to secure the database from public view after being informed of the open data by UpGuard, and said “The information in the file does not pose a risk of identity theft to any consumers.”
Experian comments included this statement:
“This is an Alteryx issue, and does not involve any Experian systems.”
Takeaways from the Breach
Default security settings are disregarded. The default security setting for S3 buckets allow only specifically authorized users to access the contents. This breach is another example of an organization seemingly going out of their way to create insecure storage.
Your name isn’t necessary to do damage. When so much other data about you is leaked, your name isn’t all that key. Mortgage information, for example, is often used in knowledge-based authentication processes. Chris Vickery of UpGuard explains:
“When you buy a car these days, or you apply for a loan, or you’re going for a student loan with the government or something, in order to verify who you are, a lot of times you run into knowledge-based authentication. That’s where not only do you have to provide your name, address and Social Security number, but they’ll also ask you, ‘OK, where did you live five years ago, who owns the mortgage to your house’ ― all sorts of bits of data that only you are supposed to know.”
Companies have security risk outside their walls. Experian supplied the data to Alteryx; Alteryx failed to secure the data. Partners and vendors have access to critical data. Organizations need to vet the security practices of their supply chain – and assume some portion of responsibility when their data is leaked by a member of that supply chain.
Downplaying the severity of a data leak isn’t a good look. Both Alteryx and Experian downplayed the leak. But, as noted above, there is the potential of damage given the types of data exposed. Greater acknowledgement of the potential risk would be better public relations.