Cartoon Family

Third Party Leak Exposes Info on 123 Million US Households

A massive and potentially damaging data leak has exposed sensitive and detailed consumer profiles on nearly every American household, the security firm UpGuard Security said on Tuesday. 

Detailed consumer profiles on 123 million American households compiled by the firm Alteryx was discovered on a weakly secured cloud server hosted by Amazon. The data includes a mix of U.S. Census Data and consumer tracking data collected by the firm Experian. In all, billions of personally identifying details for nearly every U.S. household were exposed, according to Chris Vickery, a researcher at UpGuard who discovered the trove of data. 

Cartoon Family
Data on 123 million US households was exposed by the firm Alteryx, according to researcher Chris Vickery of UpGuard. (Image courtesy of Library of Congress.)

Coming on the heels of a hack of consumer credit rating firm Equifax, the Alteryx breach is likely to ratchet up pressure on lawmakers to address what has become an epidemic of data leaks and data theft among U.S. firms, including so-called ‘data brokers’ like Equifax, TransUnion and others that make money by collecting and re-selling a broad range of information on individuals and companies.

According to Vickery, the data was discovered in early October on an Amazon Web Services S3 cloud storage “bucket” hosted on the subdomain “alteryxdownload.” The data included software updates and other administrative files, as well as a 36 gigabyte database containing Experian ConsumerView data on 123 million households. The file was dated 2013.  ConsumerView is an Experian product that is sold to companies who wish to profile individuals or households for marketing or sales purposes, among other things. Among the data stored in the database was a wide range of consumer marketing data including each household’s address, occupants, the household income. Also included were a range of more sensitive data like mortgage and financial data, information on credit card use and credit worthiness, and lifestyle and interest data compiled from surveys that household members may have taken.

The S3 storage bucket was not accessible to the public. However, anyone with an Amazon Web Services account could access it. Vickery said that such accounts can be set up in minutes using nothing more than an email address, meaning that anyone with knowledge of the existence of the Alteryxdownload subdomain could get access to it with little trouble.

After discovering the data, UpGuard said it alerted Alteryx about the exposed data and worked with the company to secure it. Alteryx did not reply to email or phone requests for comment prior to publication.

Writing on the UpGuard blog, Vickery said the implications of the leak could be profound for U.S. consumers – exposing them to a range of threats from scam phone calls to identity theft.

Taken together, this exposed data provides a highly detailed database of tens of millions of Americans’ personal, financial, and private lives,” he wrote.

The breach also underscores the dangers that U.S. businesses and the U.S. public face as a result of lax practices by third party firms. Vickery notes that Experian promises consumers that they will provide “notice and choice when it comes to how their data is being used,” and be mindful of consumer privacy,” those promises don’t extend to Experian’s business partners including Alteryx.

UpGuard and Vickery have made a name for themselves by finding and exposing massive data leaks, often by way of exposed cloud servers hosted by Amazon and other firms. Previously, Vickery disclosed the leak of voter information by the Republican National Committee (RNC) – a trove of information on some 200 million US voters that included 14 files saved using Alteryx proprietary database format.

In March, Vickery disclosed the discovery of a database of 1.4 billion email addresses leaked by a spam email operation, River City Media. That data, also, was left exposed online as a data backup.