Security experts have discovered another massive leak which exposes incredibly detailed information of millions of American households.
On Tuesday, reports of a massive leak that compromises the information of around 123 million American households have set the Internet abuzz. Apparently, the scale of the issue has put the said security breach on par with the infamous Equifax incident last September as it affects virtually every American household.
According to researchers from the cybersecurity firm UpGuard, they discovered the database earlier this year sitting unsecured on the Internet. The database allegedly exposes an extraordinary range of personal details about American residents including ethnicity, interests, hobbies, addresses, income, and even the number of children living within a property and what mortgage a particular house is under. In total, it was reported that there were 248 different data fields for each household.
While no names were exposed, cybercriminals could still potentially use the details in activities such as spamming and stealing identities.
“From home addresses and contact information to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” Chris Vickery and Dan O’Sullivan, the UpGuard researchers who found the massive database, said.
Massive Leak due to Cloud Misconfiguration
The massive leak was said to be found by the UpGuard security experts sitting in an Amazon Web Service S3 storage bucket, free for anyone to access and obtain. All a person needs is the right URL to visit and an Amazon AWS account to retrieve all the data stored in the bucket.
As easy as that.
The cloud storage was said to be misconfigured and accidentally left open to the public by the marketing analytics company Alteryx. Apparently, the company obtained the information from Experian, a credit reporting agency, after purchasing its ConsumerView product.
Vickery believes that the information was being used as part of Alteryx’s product, the Alteryx Designer With Data, which it sells for approximately $38,995 USD per license.
“While, in the words of Experian, ‘protecting consumers is our top priority,’ the accumulation of this data in ‘compliance with legal guidelines,’ only to then see it left downloadable on the public internet, exposes affected consumers to large-scale misuse of their information,” the researchers said.
After being informed by the researchers, Alteryx reportedly took immediate action and secured the database from public view last week. In a statement to Forbes, Alteryx said:
“Alteryx secured the bucket, removed the file and has taken steps to prevent this from happening in the future. Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information.
Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. The information in the file does not pose a risk of identity theft to any consumers.”
It’s partner company, Experian, echoed the same stance.
“This is an Alteryx issue, and does not involve any Experian systems. Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue.”
However, while the two companies claimed the massive leak poses no risk, Vickery disagreed.
“That is incredibly misleading. I do not understand how anyone could possibly claim there is no risk posed here,” he told Forbes. “Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information.”
The researchers went on to say that the data exposed in the bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this “data would be largely reliable and, more importantly, varied.”