A researcher has revealed the personal details of 120 million American households were publicly accessible online because the marketing firm holding the data was using a misconfigured AWS bucket.
Chris Vickery, a cybersecurity researcher from UpGuard told Forbes about the breach, which included 448 fields of personal information. The data, originally generated by Experian and sold to marketing analytics firm Alteryx, was found sitting in an AWS server without a password.
This meant the data in its entirety could be accessed by anyone with the valid URL, without having to enter any security details or validation checks.
Vickery explained it's likely the data was part of Alteryx's Designer With Data product, which the company sells for almost $40,000 (30,000) per license. It includes detailed information about consumers, including "consumer demographics, life event, direct response, property, and mortgage information," which could offer accurate profiles for criminals looking for potential targets.
When Alteryx was notified of the possibility of a breach, it said it immediately secured the bucket, removed the file and has now taken steps to prevent such data being exposed again. It also added that the dataset did not include any personal details such as names or any other identifiers.
"Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes," the company said in a statement provided to Forbes. "The information in the file does not pose a risk of identity theft to any consumers."
Experian also denied responsibility, saying it was Alteryx that was in charge of the data and therefore it was the marketing firm's duty to protect the data. The spokesperson also confirmed no identifiable information was included in the file.
However, Vickery, who frequently exposes security lapses of this kind, believes a criminal could piece the information together using other sources of information.
"If you cross-reference it with a voter registration database, or if you have records from an advertiser on the web, like a big web advertiser, you piece these things together and you've got a very accurate view of who someone is: what they like doing, where they work, where they live, how many kids they have," he said.
This is only the latest example of a company failing to correctly configure an AWS bucket, leaving potentially sensitive user data open to the public. Most recently, Vickery found over 100GB of NSA data was found sitting on an unprotected bucket, a great deal of which was regarded as classified material.
The personal information of two million Dow Jones customers, 137GB of Accenture client data, and the data belonging to three million WWE fans have all been discovered sitting in AWS servers without password protection this year.
Image: Bigstock
