123 million Americans exposed in misconfigured cloud database: What infosec leaders should know
Data analytics firm Alteryx breached the personal information of 123 million U.S. households after leaving its Amazon Web Services S3 cloud storage bucket open to the public, a new report from security firm UpGuard found.
UpGuard discovered the open bucket on Oct. 6., which included data sets belonging to Alteryx partners, the U.S. Census Bureau and consumer credit reporting agency Experian. Compete datasets for the 2010 U.S. Census and Experien’s ConsumerView marketing database were available.
About 36 GB of ConsumerView data were left open to the public, including more than 123 million rows that each represented a different American household.
In total, the exposed data revealed more than 3.5 billion fields of personal identifiers and data points about nearly every American household – including ethnic and racial information. While the report found the spreadsheet used anonymized identifies, the other information was very detailed.
Data included addresses, contact information, financial histories, mortgage status and a detailed analysis of purchasing behavior – like travel history, pet information and sports interests.
“The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied,” the report said.
This breach highlights an ongoing issue prevalent in all sectors: Employees failing to ensure cloud storage databases remain private. Patient Home Monitoring, Accenture, Verizon and many others have failed to take the necessary steps to lock down databases stored in the cloud.
In fact, Amazon added a host of new security measures to its database this fall to make it more obvious that a storage bucket is not private. And now the default storage setting is private in an effort to reduce these kinds of breaches.
But it doesn’t have to be this way.
“This is an enormous problem facing the IT landscape today,” UpGuard Director of Cyber Risk Research Chris Vickery wrote. “As have been seen in many previous data exposures, most enterprises lack the ability to even assess the security postures of external vendors.”
“Even if the primary enterprise maintains high standards of change validation and management, they are inviting risk if they cannot be sure of similarly stringent maintenance within the operations of partners handling their data,” he continued.