Another Major Leak - No Security At All

[White Haven]

Massive leak exposes data on 123 million US households
An unsecured database contained a wide range of personal details about virtually every American household, researchers say.

BY
STEVEN MUSIL
DECEMBER 19, 2017 4:40 PM PST

The door to your personal data got left wide open once again.

Researchers revealed Tuesday that earlier this year they discovered a massive database -- containing information on more than 123 million American households -- that was sitting unsecured on the internet.

The cloud-based data repository, from marketing analytics company Alteryx, exposed a wide range of personal details about virtually every American household, according to security researchers with the UpGuard Cyber Risk Team. The leak put consumers at risk for a range of nefarious activities, from spamming to identity theft, the researchers warned.

Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and the number of children in the household.

"From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers," UpGuard researchers Chris Vickery and Dan O'Sullivan wrote in their analysis.

A cascade of recent database breaches has left consumers on edge about the security of their personal information. After credit monitoring company Equifax revealed in September that cybercriminals had made off with data on more than 145 million Americans, US lawmakers began efforts to hold such businesses accountable to the everyday people whose data they collect for profit.

The Alteryx database was discovered in October in a misconfigured Amazon Web Services S3 cloud storage "bucket," the researchers said, allowing access to anyone with an easily obtainable account.

The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax, and the US Census Bureau, researchers said. Alteryx apparently purchased the data from Experian's ConsumerView marketing database, a product sold to other companies that contains a combination of publicly available information and more personal data.

Neither Alteryx nor Experian responded to a request for comment. In a statement to Forbes, Alteryx said the database had been secured, and it downplayed the leak's severity.

"Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes," Alteryx said. "The information in the file does not pose a risk of identity theft to any consumers."

Experian struck a similar note in response to Forbes' query about the leak.

"This is an Alteryx issue, and does not involve any Experian systems," a spokesperson said. "Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue."

The UpGuard researchers disagreed with that assessment.

"The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied," the researchers said. "With a large database of potential victims to survey -- with such details as 'mortgage ownership' revealed, a common security verification question -- the price could be far higher than merely bad publicity."

Well, Equifax has something to be happy about, because one of Experian's business partners just one-upped their criminal negligence. Rather than just pathetic security, they decided to try none at all. What...fun...

[Simon_Jester]

I wonder exactly what threshold of popular dissent would be required to make the present Congress pass bills radically curtailing the ability of large corporations to keep this kind of massive database on people who never agreed to be their customers and have never done business with them directly.

I mean, there's a threshold above which they'd do it. I'm pretty sure they'd pass such legislation if the alternative was ending up tarred, feathered, and ridden out of Washington on a rail, to take the extreme limiting case. Hopefully the threshold is somewhere below that point, but I wonder where?

[bilateralrope]

Sadly I think the threshold is members of both parties being noticeably harmed. Either harmed directly, or having their donors complain about it harming them. If it's just Democrats being harmed, I expect the Republicans under Trump to cheer about it.

[The Romulan Republic]

Aw, and here I was hoping that this would be about a leak from the Trump White House.

[Ace Pace]

I wonder exactly what threshold of popular dissent would be required to make the present Congress pass bills radically curtailing the ability of large corporations to keep this kind of massive database on people who never agreed to be their customers and have never done business with them directly.

I mean, there's a threshold above which they'd do it. I'm pretty sure they'd pass such legislation if the alternative was ending up tarred, feathered, and ridden out of Washington on a rail, to take the extreme limiting case. Hopefully the threshold is somewhere below that point, but I wonder where?

There's also a technical complication. Lets say you pass a bill saying that companies can be sued for losing hold of PII. The moment it's implemented, nearly every company on the market can be and will be sued. Why? Because information security right now is broken. Competent teams find it hard to manage and implement security(*). So you're going to need a sunset provision. I'm pro that, but then you'll still have the majority of companies being sueable the moment the provision loses force. What Congress tried to do (not sure what the status of it is) is try to use market forces to gradually improve the situation. For example, regulating what sort of software and hardware the federal government (and contractors) can buy according to a security criteria (such as updates, auditing, etc.). This is better, but probably not as fast as you want.

(*) Anyone saying "Oh just patch and harden down boxes" has clearly never worked with large companies.

[K. A. Pital]

This is what the people wanted. After all, what is good for commerce, is good for the common man. The longer the world keeps on trading, the better life will get for everyone, everywhere.

In the end state, there will be no security at all. Just a price tag on your data, and it will be sold to the highest bidder.

The end state of the market is to penetrate and corrode every non-market relationship that ever existed in this world.

[Simon_Jester]

I have heard the market (and similar mechanisms that create ordered systems spontaneously) described as "blind idiot gods" in the manner of Lovecraft's fictional deity Azathoth. They are large, they are powerful, they create complex systems... And they are mindless and unworthy of veneration.

Sadly I think the threshold is members of both parties being noticeably harmed. Either harmed directly, or having their donors complain about it harming them. If it's just Democrats being harmed, I expect the Republicans under Trump to cheer about it.

There is no possible way for data breaches like this to fall entirely on Democrats...

[Bedlam]

In the end state, there will be no security at all. Just a price tag on your data, and it will be sold to the highest bidder.

If there's no security why would the bidder pay when it could just take it?

The data having value means that the holder has some reason to want to secure it.

Not to say the 'invisible hand' is in any way going to make information secure but the situation as occurred is a bug not a feature.

[SpottedKitty]

I wonder exactly what threshold of popular dissent would be required to make the present Congress pass bills radically curtailing the ability of large corporations to keep this kind of massive database on people who never agreed to be their customers and have never done business with them directly.

Isn't it the other way round? We aren't their customers, we're their product for sale to their true customers.

[Simon_Jester]

The people who never agreed to be their customers also never agreed to be their product.

Anyone who did agree to be their customers has no right to complain when the demon they conjured up turns and rends them.