A newly disclosed security incident has compromised the personal information of about 123 million American households, exposing sensitive details ranging from demographics like age and gender, to past retail purchases and specific interests.
The personal information was amassed by Alteryx, a California-based data analytics firm, and uploaded to a publicly available Amazon Web Services cloud-based data repository lacking basic security protections, according to UpGuard, a Silicon Valley security firm that disclosed the incident this week.
The data was “left downloadable on the public internet,” and potentially may been accessed by any of the more than a million AWS account holders, UpGuard analyst Dan O’Sullivan said Tuesday.
“Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the U.S. Census Bureau, providing data sets from both Experian and the 2010 U.S. Census,” he wrote in a blog post.
“While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data,” the analyst explained. “Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household.”
In addition to demographics including education, occupation and marital status, the exposed information categorized households based on items ranging from purchasing behaviors and hobbies, to sporting interests and credit worthiness.
While the exposed data set didn’t reveal the names of any individuals affected the security incident, other items — such as contact information, or whether their households can be categorized as containing a “cat enthusiast” or “dog enthusiast,” among other leaked data point — provided an array of potentially invaluable information prior to being discovered by UpGuard in October and subsequently locked down.
“Databases like this allow bad guys to have that information about large swaths of people,” said Chris Vickery, UpGuard’s director. “So lots of fraud can be committed, even with systems that are designed to be based on personal knowledge,” he told The Huffington Post.
Experian blamed the incident on Alteryx, and Alteryx downplayed the significance of the discovery
“This is an Alteryx issue,” Experian said in a statement. “Data security has always been, and always will be, our highest priority. As a matter of security best practices, Experian vets all our clients and mandates robust security measures and controls to secure our data.”
“The information in the file does not pose a risk of identity theft to any consumers,” Alteryx said in a statement to Forbes.
Forty-eight states currently have data-breach notification laws on the books, and Senate Democrats introduced legislation last month that would replace that patchwork with standardized federal requirements.