120 Million Americans’ Personal Data Exposed in Unsecured Database
Researchers from Upguard, a cybersecurity consultant company, announced the discovery of an unsecured Amazon Web Services database containing the personal data for over 120 million Americans; anyone with an Amazon Web Services account could access the database. The database was traced back to marketing analytics firm Alteryx, who allegedly purchased the information from consumer credit reporting agency Experian as part of one of their licensing products.
The information was discovered in an S3 “bucket;” which allows anyone who knew the URL to freely obtain any of the information contained therein. While the information did not include names, it did include addresses, interests, gender, education, occupation, income, and mortgage details. As of time of writing, there has been no information as to how long the database had been left open or who accessed it prior to discovery by Upguard.
Alteryx has since secured the database. “This file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. The information in the file does not pose a risk of identity theft to any consumer” said Alteryx in a statement. They did not respond to reporters’ questions. Experian released a similar statement and also declined comment.
Experts strongly disagree with Alteryx’s and Experian’s statements, stating they are attempts to downplay the leak. “From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard researchers Chris Vickery and Dan O’Sullivan said. “The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied.”
It remains to be seen if this event will create a greater demand for consumer data protections or legislation in that vein; legislative proposals were announced in the wake of the Equifax breach, and the EU’s GDPR is set to go into effect in May of 2018.
UPDATE DECEMBER 22, 2017: According to a statement from the U.S. Census Bureau, the leaked information was publicly available data, including information from the 2010 Census.