A massive database containing information on more than 123 million American households was discovered unsecured on the internet earlier this year, researchers said Tuesday.
The cloud-based data repository was left online by marketing analytics company Alteryx, exposing a wide range of personal details about virtually every American household, according to security researchers with the UpGuard Cyber Risk Team. The leak exposed consumers to a variety of nefarious activity, from spamming to identity theft, the researchers warned.
Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and number of children in the household.
“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard researchers Chris Vickery and Dan O’Sullivan wrote in their analysis.
A cascade of recent database breaches has left consumers on edge about the security of their personal information. After credit monitoring company Equifax revealed in September that cybercriminals had made off with data on more than 145 million Americans, US lawmakers began efforts to hold such businesses accountable to the everyday people whose data they collect for profit.
The database was discovered in October in a misconfigured Amazon Web Services S3 cloud storage “bucket,” the researchers said, allowing access to anyone with an account, which are free to obtain.
The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax, and the US Census Bureau, researchers said. Alteryx apparently purchased the data from Experian’s ConsumerView marketing database, a product sold to other companies that contains a combination of publicly available information and more personal data.
Neither Alteryx nor Experian responded to a request for comment, but Alteryx said the database had been secured but downplayed the leak’s severity in a statement to Forbes.
“Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes,” Alteryx said. “The information in the file does not pose a risk of identity theft to any consumers.”
Experian struck a similar note in response to Forbes’ query about the leak.
“This is an Alteryx issue, and does not involve any Experian systems,” a spokesperson said. “Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue.”
The UpGuard researchers disagreed with that assessment.
“The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied,” the researchers said. “With a large database of potential victims to survey — with such details as ‘mortgage ownership’ revealed, a common security verification question — the price could be far higher than merely bad publicity.”
Special Reports: All of CNET’s most in-depth features in one easy spot.
It’s Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.
