Alteryx, a data mining and analytics firm, just disclosed it accidentally exposed the personal details of over 120 million American households. This data included the Experian ComsumerView dataset and a full dump of the 2010 US Census data. Upguard, the company responsible for the discovery, reports that the Alteryx dataset costs roughly $40,000 per license. Details of the breach imply another misconfiguration of Amazon Web Services cloud storage permissions. Apparently, Alteryx configured the S3 bucket to accept connections from all AWS-authenticated users, not just those affiliated with the company. The scope of data included 248 separate data points per household, including addresses, genders, ethnicity, financial status, and interests and hobbies. However, the data does not contain names, that being replaced with unique pseudo-anonymous identifiers. Of course, details are lacking so soon after the disclosure, but this isn’t the first time we’ve seen something like this happen,
Alteryx Company Response
A company spokesman told Forbes:
Alteryx secured the bucket, removed the file and has taken steps to prevent this from happening in the future. Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information.
Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. The information in the file does not pose a risk of identity theft to any consumers.
The researchers who found the data disagree, saying:
That is incredibly misleading. I do not understand how anyone could possibly claim there is no risk posed here … Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information.
Secure Compliance Solutions LLC (SCS) provides a wide range of cybersecurity consulting and managed security services to small and medium sized businesses (SMB) and government agencies, fortifying their Information Security and Data Privacy programs. SCS works with its clients to tailor and implement industry-proven frameworks and standards to meet compliance goals and drive consistent security operations. We raise awareness of current security trends and risks to prepare personnel to recognize and defend against potential security issues. We implement technical solutions and controls to minimize data risks and liabilities. Our Managed Security Service provides “constant watch” against both internal and external cyber threats and attacks. At SCS, we promote a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities to keep your business up and running.