The Daily Swig Web security digest

Massive cloud leak exposes ‘virtually every American household’

James Walker | 20 December 2017 at 12:44

Alteryx bungle delivers some home truths surrounding third-party vendor risk.

A vast database containing sensitive personal information on more than 123 million American households was left on a publicly exposed Amazon S3 cloud storage bucket, researchers have discovered.

In a report published yesterday, the UpGuard Cyber Risk Team detailed their recent discovery of a cloud-based data repository belonging to Alteryx, a California-based data analytics firm, which was configured via permission settings to allow any AWS account holder to download its contents.

Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau.

While the census data consists of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data.

The 36 GB ConsumerView file included a huge range of personal details on residents, including address and home ownership status, ethnicity, interests and hobbies, income, phone numbers, number of children living at the household, and political contributions.

In all, the file contained 128 data points and more than 123 million rows. Taken together, the UpGuard team said the exposed data reveals “billions of personally identifying details and data points about virtually every American household”.

“While the spreadsheet uses anonymized record IDs to identify households, the other information in the fields – as well as another spreadsheet in the bucket – are sufficiently detailed as to be not merely often identifying, but with a high degree of specificity,” explained UpGuard cyber resilience analyst, Dan O’Sullivan.

Although some might initially draw parallels between the leak of Experian’s proprietary consumer data and the massive Equifax security breach which came to light in September, it should be noted that the credit agency is not directly involved in the Alteryx exposure.

However, UpGuard said its latest findings serve to highlight the damage that can be caused by third-party vendors – a risk factor which O’Sullivan said can corrode the integrity of “any public and private functions relying upon information technology”.

“The exposure of massive amounts of data about many millions of American households gathered by a credit reporting agency reveals how the consequences of cyber insecurity can, in an increasingly interdependent technological environment, quickly afflict partners and expose their data as well,” he stated.