Over 123 million American households — a figure which represents nearly all of them — have likely had at least some data about them leak out on the internet earlier this year.
Nope, we aren’t talking about the Equifax hack.
No, this newly-disclosed leak was discovered along with an unsecured database on the internet earlier this year — a database that had at least some data on nearly every American household.
Oops.
The cloud-based data repository was left online unsecured by marketing analytics company Alteryx, according to security researchers with the UpGuard Cyber Risk Team.
The good news — such as there is any in cases like this — is that no names were exposed in the hack. Then not-so-good news is that the data set included some 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status.
Thieves may also have potentially had access to financial data like mortgage information — as well as sensitive information like how many children live in certain households.
“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard researchers Chris Vickery and Dan O’Sullivan wrote in their analysis.
The database was found in a misconfigured Amazon Web Services S3 cloud storage “bucket,” the researchers said, allowing access to anyone with an account, which are free to obtain.
A large cache of the data accidentally left unsecured came via Alteryx partner Experian, a consumer credit reporting agency. Reports indicate that Alteryx purchased the data from Experian’s ConsumerView marketing database. That product is sold by Experian to other firms and is known to contain a combination of publicly available information and more personal data.
Alteryx, thus far, seems to be downplaying the risk to consumers posed by the leak.
“Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes,” Alteryx said. “The information in the file does not pose a risk of identity theft to any consumers.”
Experian, on the other hand, mostly bounced the ball back to Alteryx.
“This is an Alteryx issue, and does not involve any Experian systems,” a spokesperson said. “Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue.”
The UpGuard researchers who discovered the database did not buy into that assessment.
“The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied,” the researchers said. “With a large database of potential victims to survey — with such details as ‘mortgage ownership’ revealed, a common security verification question — the price could be far higher than merely bad publicity.”