Amazon AWS Cloud Data Leak: Personal Info of 123 Million U.S. Households

Yet another data bombshell has hit consumers, this time exposing massive amounts of personally identifiable information (PII) on some 123 million American households.

Security watchdog UpGuard has overturned one more instance of a misconfigured Amazon Web Services S3 cloud storage bucket, this one containing billions of data points of highly sensitive consumer information used by Alteryx, an Irvine, CA-based data analytics provider. The compromised repository belongs to credit rater Experian and the U.S. Census Bureau but it is Alteryx that evidently left the AWS storage bucket door ajar.

While U.S. Census data is publicly available, Experian’s database is sold to other businesses for marketing purposes and, therefore, is a richer target with more sensitive information that reportedly sells for nearly $40,000 per license, Forbes reported.

UpGuard discovered data housed under the subdomain "alteryxdownload" on October 6, 2017. Complete datasets for Experian’s ConsumerView marketing database and the 2010 U.S. Census were left open for anyone with an AWS account to see. The 36 GB data file titled "ConsumerView_10_2013" contained over 123 million rows, each one signifying a different American household.

"Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket's contents," UpGuard researchers Chris Vickery and Dan O’Sullivan wrote in a blog post.

By any reckoning the amount of type of data exposed is staggering, easily drawing comparisons to the Equifax heist that netted information on 145 million people. UpGuard said the exposed data reveals some 3.5 billion fields of confidential information on just about every American household.

“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” said the UpGuard researchers. The cascading reverberations for consumers of the open online storehouse extend to “large-scale misuse of their information - whether through spamming and unwanted direct marketing, organized fraud techniques like phantom debt collection, or through the use of personal details for identity theft and security verification,” they said.

Once UpGuard informed Alteryx and Experian of the configuration oversight, the analytics company secured the database from public view last week. Still, Alteryx appeared to downplay the incident’s importance while Experian predictably excused itself from involvement.

"Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes," an Alteryx spokesperson reportedly told Forbes. "The information in the file does not pose a risk of identity theft to any consumers."

Similarly, an Experian spokesperson told Forbes that the data exposure is an “Alteryx issue and does not involve any Experian systems...We have been assured by Alteryx that they promptly remedied this issue."

But Vickery stood by his research, Forbes reported, criticizing the two outfits for “incredibly misleading” statements. “I do not understand how anyone could possibly claim there is no risk posed here," he reportedly said. "Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information."

In addition, Vickery and O'Sullivan made it clear they are no fans of third-party data handling. "In the same way warming waters increase the power of exposures such as this are capable of exposing the vast majority of American households to compromise with one error," they wrote in the blog post. It "reveals just how thoroughly third-party vendor risk is corroding the integrity of any public and private functions relying upon information technology."

In early November, Amazon updated its cloud default settings and encryption options for customers to mitigate such risks.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.