If we haven't seen enough mega data breaches this year, security researchers are here to end the year with a bang. This time, over 120 million American households are on the victims list, as an insecure database has exposed personally identifiable information affecting millions of people across billions of data points.
Over 123 million American households' data exposed thanks to Experian and Alteryx
Data of over 123 million American households was stored in a massive database that was left exposed on the web. The database included extremely personal information, including American citizens' addresses, income, mortgages, interests and hobbies, bank details, ethnicity, and more. The database had over 248 data fields for each household, UpGuard security research team has revealed.
The database was apparently left open by a marketing analytics company called Alteryx. "Exposed within the repository are massive data sets belonging to Alteryx partners Experian, the consumer credit reporting agency, and the US Census Bureau, providing full data sets for both Experian’s ConsumerView marketing database and the 2010 US Census," the researchers wrote.
Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household.
Researchers said that the data is sold for around $38,995 per license. Experian boasts "protecting consumers" is its top priority. However, this invasive accumulation of data and then the lack of safeguards to keep this data secure proves otherwise.
No shame in exposing data of hundreds of millions of Americans
In response to the discovery, Alteryx and Experian continue to downplay the severity of such a massive data collection process. Alteryx said in its response that it has "secured the bucket, removed the file and has taken steps to prevent this from happening in the future".
"Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information."
The marketing analytics company also added that the file "held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes".
"The information in the file does not pose a risk of identity theft to any consumers."
However, security researchers don't appear to agree with Alteryx or Experian - the latter has said it's Alteryx's issue and Experian shouldn't be bothered. (On a side note, this isn't the first time Experian is involved in a massive data breach.)
"That is incredibly misleading," Chris Vickery, security researcher for UpGuard told Forbes. "I do not understand how anyone could possibly claim there is no risk posed here."
"Addresses, phone numbers, banking, ethnicity, etc. is all present. There is a great deal of harm that could be done with this information."
This scale of this breach puts it in the running with the devastating Equifax data leak, nearly affecting every single American household. Security researchers and experts believe it's time for some regulatory action against what many believe should be considered criminal activity not just another "incident".
This breach also highlights how third-party vendor security risk is getting completely out of control with every company blaming the other. "This case highlights that third-party vendor relationships are a growing cybersecurity risk," Varun Badhwar, co-founder of RedLock, said. "Data from three different organisations - Alteryx, Experian, and the US Census Bureau was revealed. Remember, an organisation’s security is only as good as its partner’s security."
Experian is also passing all the blame on to Alteryx. "This is an Alteryx issue, and does not involve any Experian systems," it said. "We have been assured by Alteryx that they promptly remedied this issue." Well, if you have been assured...
Researchers said that the leaked data would be invaluable for everyone from marketers and spammers to identity thieves. They warned that "with a large database of potential victims to survey - with such details as “mortgage ownership” revealed, a common security verification question - the price could be far higher than merely bad publicity."
[Update, Dec 21, 2017]: US Census data wasn't part of this leak
In an email to Wccftech, U.S. Census Bureau clarified that the data involved in this leak was already publicly available at census.gov and no "Personally Identifiable Information (PII) collected by the U.S. Census Bureau" was part of this leak. The third party marketing analytics company apparently didn't have any access to PII collected by the Census Bureau.
"The Census Bureau is committed to protecting the privacy of all households and businesses that participate in its surveys and censuses," the Bureau said in its statement. "Data security and public trust in the Census Bureau are essential to our mission."
