Security researchers at Upguard reported Wednesday that personally identifiable data on 123 million American households was left publicly exposed, potentially revealing billions of details and data on virtually every household in the country.
The data was held in a repository owned by Alteryx, a data analytics firm that had data sets belonging to business partner Experian, one of three massive credit reporting firms, and the U.S. Census Bureau. The Census data consists of public data and information that is not personally identifiable, but the Experian data contains information such as home address, contact information, mortgage data, financial history and even purchasing behavior.
The data were revealed in what is by now a fairly common flub. The Alteryx data repository was stored in an Amazon Web Services (AWS) S3 cloud storage bucket on which the access permission was set to allow any AWS “authenticated user” to download the stored data.
Upguard noted that there are over a million such users registered who obtain the privilege, which is available free: “Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents.”
See the Upguard report for more details and a list of all 248 categories of information released.
This data breach is similar to that revealed by Verizon Communications Inc. (NYSE: VZ) last July. In that breach more than 14 million personally identifiable consumer records were stolen.
The largest data breach so far this year resulted in the theft of more than 145 million personally identifiable records from credit reporting firm Equifax Inc. (NYSE: EFX). That attack was attributed to a known vulnerability called “Apache Struts.”