2017 seems to have been the year of high-profile data breaches. September saw consumer credit reporter Equifax announce that a hack stole info pertaining to 145 million of its customers, including full names, drivers license and social security numbers, and even complete addresses. The attack was initially carried out in May, the same month that the North Korean WannaCry hack devastated computer systems across the globe.
Only months later, ride sharing app and transportation giant Uber revealed that they had suffered their own breach which, while only revealing scant identifying information about customers, saw driving license information from 600,000 of their own employees stolen. The company hid evidence of the attack for over a year. Image hosting site Imgur similarly had user data stolen back in 2014 but hid evidence of the incident until this year. Yet another potential breach has been discovered, this time hitting marketing analytics firm Alteryx.
Researchers uncovered evidence that the company’s cloud-based storage, which held identifying information on upwards of a 123 million American households, did not have any significant security features in place. Cybersecurity firm UpGuard said the lack of security could leave anyone in the database open to anything from simple spam to full blown identity theft. Each entry in the system covered nearly 250 different points of identifying data including addresses, marital status, work info, ages, phone numbers, and revealing financial information.
Researchers at Upguard discovered the unprotected information back in October of this year. It was stored via an Amazon Web Services cloud storage space that was misconfigured, allowing anyone to create an account capable of accessing the data. The offending marketing company had also purchased information from other sources which was in turn stored on the unsecured server. This includes information from the United States Census Bureau and, more interestingly, Experian. Experian is a partner of Alteryx and, as it happens, is a major competitor of the previously hacked Equifax.
Both Alteryx and their partner have downplayed the incident, claiming that the misconfiguration was repaired and that the only information vulnerable to theft was “marketing data” that would not facilitate identity theft. Experian laid the blame squarely on Alteryx’ shoulders and further supported the latter’s claim that any data taken from the unsecured server would be inconsequential. UpGuard disagreed, saying that the information is an invaluable resource for identity theft, spamming, and underhanded marketing practices. They pointed out that the information could, for example, be used to answer security questions needed to change passwords on email and other web accounts.