Blog
12.27.2017

You may not know much about the companies exposing your personal information. But they know a lot about you.

The Washington Post, December 19, 2017, comments by Atiq Raza;
The Bleeping Computer, December 19, 2017, comments by Atiq Raza;

Unsecured Amazon S3 Bucket Exposes Details on 123 Million American Households.

Another day, another data leak.

Despite data collection and analysis being a multi-billion dollar business, data security doesn’t seem to be an area where they’re investing their money. US data analytics provider, Alteryx, has recently exposed an Amazon S3 storage bucket, spilling private details of 123 million households in America, which is nearly every one of the total 126 households in the entire country.

Breaches aren’t new. Perhaps a more well-known name, data company Axcion experienced a huge data breach in 2005 that exposed 1.6 billion customer records.

Another recent breach occurred with data firm Deep Root, hired by Republican candidates to collect information on 198 million people. The voter’s registration information and social posts were not secured and therefore available to anyone curious to seek the information out.

The unprotected Alteryx server was discovered by US cyber-security firm UpGuard, and it wasn’t their first of such discoveries. And as in prior, the server was left accessible by a URL that was easy to happen upon.

What was stolen?

Most critical were two database archives containing information belonging to Experian credit agency and the US Census Bureau.

Some of the census bureau data was already public, but the Experian data never should have been. The data contains PII (personally identifiable info), including addresses, home information, contact information, financial details about mortgages, purchase behavior and more.

The data is somewhat dated, going back to 2013, and doesn’t contain names. But before you breath a sigh of relief, the bad news is the data contains information such as addresses, which along with other details, especially financial, would not be at all difficult for anyone, including thieves, to match up with names.

"Private information across multiple fields such as addresses and banking info can easily be correlated with names," Atiq Raza, CEO of Virsec Systems told Bleeping Computer, confirming that the lack of names will not be an issue for attackers.

Mr. Raza also told the Washington Post that, “[Alteryx] is the latest example of organizations not applying stringent security to data in the cloud, and then underestimating the potential damage.”

A key problem is that companies who acquire this data may have strict security policies. But they hire contractors who do not and the sloppy practices of those contractors end up in the data being leaked in massive breaches.

So much stolen and leaked data is now “out in the wild” that it’s tough to tally up the billions of leaked pieces of private information. The Internet is literally flooded with customer data that was meant to be – and should have been - kept private, with laws supposedly ensuring it would be. Or at least laws that should bring consequences to companies who don’t meet their data security obligations. But so far, neither data security nor legal consequences seem to be happening.

What will it take to bring about better security and consequences of legal and privacy violations?

Read full Washington Post Exposing Your Personal Information article.

Read full Bleeping Computing Unsecured Amazon S3 Bucket Exposes Details on 123 Million American Households article.