What surprising things might a keen data hunter find sitting in an unsecured state on a cloud service these days?
For a researcher at UpGuard, on 6 October the answer turned out to be an intriguing 36GB database file sitting in plain view on an Amazon Simple Storage Service (S3) bucket uploaded by analytics company Alteryx.
Leaky bucket might be a better description because when opened the database revealed the personal financial data of 123m American households – in effect everyone with an address in the US around the time of the file’s creation in 2013.
Let’s digest this: regardless of whether you’ve heard of Alteryx or not (and few will), if you’re a US householder, a humungous trove of your personal data was inside this easily-accessible file.
And quite a cache it was too, comprising 123m rows, each with 248 columns, culled from the US Census Bureau bulked with a “massive” amount from credit-reporting company Experian.
What data? It’d be easier to say what wasn’t in the database in fact. UpGuard quotes Experian’s marketing blurb used to sell the data to third parties such as Alteryx:
With thousands of attributes on more than 300 million consumers and 126 million households, ConsumerView data provides a deeper understanding of your customers, resulting in more actionable insights across channels…
No wonder Alteryx wanted it. In case anyone assumes the data was anonymised, UpGuard reckons:
While the spreadsheet uses anonymized record IDs to identify households, the other information in the fields – as well as another spreadsheet in the bucket – are sufficiently detailed as to be not merely often identifying, but with a high degree of specificity.
In addition to trifles such as address, telephone number and estimated income, this included home valuations, when householders last bought a car, what magazines they subscribe to, how much they like to travel, their cat ownership – you name it.
Experian clearly knows an awful lot about Americans and has been trading it around partners to use, one of which didn’t secure it well, or at all.
All UpGuard needed to access the data was a free Amazon Web Services (AWS) account anyone could open, which marks this incident as the sort of screw up security people will be quoting as a cautionary tale in conference presentations for years to come.
Had the data been noticed by criminals rather than a researcher, the latest incident could easily have ranked as a major breach similar to the one that affected Experian’s rival Equifax in September.
Experian’s odd reaction has been to pass the buck, telling Forbes:
This is an Alteryx issue, and does not involve any Experian systems.
Technically correct but disingenuous. Surely any company handing over large amounts of sensitive data on every household in the US knows it is a loaded weapon in the wrong hands and has a duty to set some standards as to how it will be secured.
As with previous incidents, the leak is another reminder about the mysterious lack of data protection rules in the US. In my opinion, the system leans too lazily on bad publicity to curb weak security when what is needed is independent intervention.
N. Wheeler
Ugh.
How the hell does a credit reporting agency know if I have a cat ?? 1) Where are they scraping that data from ?, and 2) Why does a credit reporting agency care?
Tom
I don’t know exactly, but Spokeo use to list potential interests somehow based on magazine subscriptions [?]. Google does a pretty good job of pinpointing where you live. You use your phone on your home WiFi, your computer is connected to same external IP, you go to a pet supply store, where your phone (MAC address) polls their WiFi, you use your phone to pay for some cat treats. It could be scarier, you visit a business with digital video cameras connected to the internet, you enter and your face gets recorded as your phone polls. If you want privacy move to the woods, make a shelter from pine boughs, no electronics, maybe a solar powered radio, become a hunter gatherer.
Anon
When are we going to start punishing these companies for leaking our data all over the web? It seems to happen so frequently now that the general public doesn’t care anymore and that is a real problem.
Don the Magnificant
Had the data been noticed by criminals rather than a researcher, the latest incident could easily have ranked as a major breach
Who says it wasn’t noticed by criminals?
John E Dunn
You’re right – we don’t know. But we live in hope.
grandpalloyd
Had the data been noticed by criminals rather than a researcher, the latest incident could easily have ranked as a major breach
Who says it wasn’t noticed by criminals?
Precisely!
John E Dunn
That depends how long it’s been left in an exposed state – it could be up to four years although it’s probably more recent.
bill
i think its time for a class action lawsuit this wood get the message thru
scoot
it is way past time for a class action lawsuit, or THREE. isn’t that the lastest count?
TonyB6
Maybe we’ll finally get a glimpse of President Trump’s finances . . .
TonyB6
Forget about hacker-level criminals! What might unscrupulous “powerful people” do with this kind of info – not just against individuals but to further engineer sociopolitical agendas? These could be the kinds of effects we “won’t notice”, (akin to the way “insider trading” effectively steals from every honest person) and through targeted perception management can slowly degrade our standing as free people.
Randy
We’be been SOLD OUT by businesses colluding with “lawmakers” approval, without ANY concern for how we might feel about our privacy, in private & behind our backs, using OUR PII for their income. We the people share all the inherent risk & receive 0 compensation or benefit. Having this now discovered, any persons who gave no consent to these businesses to generate income from their PII ‘should’ expect a share of the generated income even though I know most are laughing at the thought of that happening….lawyers! Sold Out!