In September this year when Equifax servers were hacked it allowed attackers to steal personal details of more than 143 million Americans – That was over 40% of the entire population of the United States. Now, the Cyber Risk Team at UpGuard has discovered a massive trove of data belonging to households in which personal and sensitive details of 123 million Americans have been exposed online.
How did it happen
Apparently, the leak was possible due to misconfigured Amazon Web Services S3 cloud storage “bucket,” where the data was being stored by a California-based data analytics firm. This comes as no surprise since the previous misconfiguration in Amazon S3 Buckets had exposed confidential NSA and US military–related data online.
What was in the data
The exposed bucket according to UpGuard’s blog post on Tuesday contained massive data sets belonging to US Census Bureau and Alteryx partner Experian, a consumer credit reporting agency and a competitor to Equifax.
Researchers believe the data was purchased by Alteryx from Experian’s ConsumerView marketing database, a product sold to other enterprises and contains a mix of public details and more sensitive data.
Furthermore, researchers found 248 different data fields covering a wide variety of specific personal information including addresses, marital status, gender, age, occupation, and education. Other fields contain financial histories, mortgage ownership, number of children in the household, phone numbers, number of adults and people living in unity, zip codes and street numbers etc.
“From home addresses and contact information to mortgage ownership and financial histories to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” noted UpGuard’s Dan O’Sullivan.
How the data was discovered
The internet is full of exposed databases and for UpGuard Director of Cyber, Risk Research Chris Vickery finding those databases seems like a piece of cake since Vickery was the one to discover 191 million US voter registration records and Mexican voter database of 93.4 million citizens.
As for the Households data, it was discovered on October 6, 2017, when Vickery discovered an Amazon Web Services S3 cloud storage bucket located at the subdomain “alteryxdownload containing highly sensitive and private data.
The bucket would allow any AWS “Authenticated Users” to access and download the data without any further security hurdles. This means that anyone with an Amazon AWS account was allowed to access the data which can be deemed as a treasure trove for hackers, cybercriminals, and foreign spy agencies.
Response from Alteryx and Experian
There has been no official comment from Alteryx and Experian however, in a conversation with Forbes, Alteryx claimed that the exposed data was not as serious as it has been thought. According to Alteryx:
“Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. “The information in the file does not pose a risk of identity theft to any consumers.”
Upguard on the other emphasized the severity of the leaked data and said that “The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers, and identity thieves, for whom this data would be largely reliable and, more importantly, varied. With a large database of potential victims to survey – with such details as “mortgage ownership” revealed, a common security verification question – the price could be far higher than merely bad publicity.”